From 52a2ae8c230cf85767eb99e2d7479bcf2e5647b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Jul 2024 13:13:27 +0100 Subject: [PATCH] feat(profile): general update. see #422 --- apparmor.d/abstractions/app-open | 3 +++ apparmor.d/abstractions/app/firefox | 9 ++++++--- apparmor.d/groups/browsers/firefox-crashreporter | 2 ++ apparmor.d/groups/bus/dbus-session | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 12 ++---------- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-tweaks | 4 ++++ apparmor.d/groups/gpg/gpg | 2 ++ apparmor.d/groups/ssh/ssh | 5 ++--- apparmor.d/profiles-a-f/agetty | 2 +- apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-a-f/firewalld | 4 +--- apparmor.d/profiles-m-r/pcscd | 3 ++- apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/smartd | 6 ++---- apparmor.d/profiles-s-z/su | 2 ++ apparmor.d/profiles-s-z/w3m | 15 ++++++++++++--- 19 files changed, 48 insertions(+), 28 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 942e0a55..8c4efc35 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -50,6 +50,9 @@ @{bin}/vlc rPUx, @{bin}/xbrlapi rPx, + #aa:only opensuse + @{lib}/YaST2/** rPUx, + include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index bf86f419..9de4359e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,12 @@ owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, + owner /dev/shm/org.chromium.@{rand6} rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, + @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -144,9 +150,6 @@ /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8d62a6fb..5223486d 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cmdline r, + /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index d3da171f..e5e38279 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -54,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_share_dirs}/dbus-1/services/{,**} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 16e87a50..815375f2 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -42,6 +42,7 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, + /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 10db5f66..3083c73f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include + include include include include @@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/env rix, @{bin}/gjs-console rix, @{bin}/openssl rix, - @{sh_path} rix, @{bin}/ssh-add rix, @{bin}/ssh-keygen rPx, @@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, - /etc/machine-id r, - owner @{user_cache_dirs}/gsconnect/{,**} rw, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/gsconnect/ w, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 722a69fe..5d945b64 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ssh-add rix, @{bin}/ssh-agent rPx, + @{lib}/gcr-ssh-askpass rPUx, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index ddb95f1b..b1a0bd8a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -78,6 +78,7 @@ profile gnome-software @{exec_path} { owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index a04234cc..84f37da7 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} { include include include + include include include @@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/recently-used.xbel* rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + owner @{PROC}/@{pid}/fd/ r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 9d23622d..b549f147 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -65,6 +65,8 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index d4c948f8..1dac2be0 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -27,12 +27,11 @@ profile ssh @{exec_path} { @{bin}/{c,k,tc,z}sh rix, @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - + owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/config r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index ec711895..3db81700 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -30,7 +30,7 @@ profile agetty @{exec_path} { /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, /etc/login.defs r, - /etc/login.defs.d/ r, + /etc/login.defs.d/{,*} r, /etc/os-release r, /usr/etc/login.defs r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 4e432e2f..e82f0d37 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -25,6 +25,7 @@ profile file-roller @{exec_path} { # Archivers @{bin}/7z rix, + @{bin}/7zz rix, @{bin}/ar rix, @{bin}/bzip2 rix, @{bin}/cpio rix, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index ea083ed9..d32790f0 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -61,9 +61,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, @{sys}/module/compression r, - @{sys}/module/crc32c_*/initstate r, - @{sys}/module/libcrc32c/initstate r, - @{sys}/module/nf_*/initstate r, + @{sys}/module/*/initstate r, @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 9a25cd7d..200319c6 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,12 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=veracrypt, ptrace (read) peer=@{p_systemd_user}, ptrace (read) peer=gsd-smartcard, + ptrace (read) peer=keepassxc, ptrace (read) peer=pkcs11-register, ptrace (read) peer=rngd, ptrace (read) peer=scdaemon, + ptrace (read) peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 06796825..8f85f3c0 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,6 +28,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 4548813b..bdac4d92 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -14,11 +14,9 @@ profile smartd @{exec_path} { include include - capability sys_rawio, + capability net_admin, capability sys_admin, - - # Needed? - audit capability net_admin, + capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 429c4893..237d5ed0 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -26,6 +26,8 @@ profile su @{exec_path} { @{bin}/@{shells} rUx, @{bin}/nologin rPx, + @{etc_ro}/default/su r, + include if exists } diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 5b919ecc..b4601147 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only @@ -9,6 +10,7 @@ include @{exec_path} = @{bin}/w3m profile w3m @{exec_path} { include + include include include include @@ -21,13 +23,20 @@ profile w3m @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + @{lib}/w3m/cgi-bin/* rix, + @{lib}/w3m/* rix, + /usr/share/terminfo/{,**} r, + /etc/mime.types r, /etc/w3m/{,**} r, - owner @{HOME}/.w3m/{,**} r, - owner @{user_config_dirs}/w3m/{,**} r, - owner /tmp/@{rand6}/{,**} rw, + owner @{HOME}/.w3m/{,**} rw, + + owner @{user_config_dirs}/w3m/{,**} rw, + + owner @{tmp}/@{rand6}/{,**} rw, include if exists }