diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index b41e0a52..8cf65c3d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/libalpm/scripts/systemd-hook profile pacman-hook-systemd @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index 744f02fc..19cd3c9c 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -12,6 +12,8 @@ profile cockpit-pcp @{exec_path} { include include + network inet dgram, + network inet stream, network inet6 dgram, network inet6 stream, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 048a0af7..a3ff1c0f 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -29,11 +29,6 @@ profile appstreamcli @{exec_path} flags=(complain) { /etc/appstream.conf r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/appstream-cache-*.mdb rw, - owner @{user_cache_dirs}/appstream/ rw, - owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*.yml.gz w, @@ -47,20 +42,25 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/swcatalog/yaml/*_Components-*.yml.gz w, /var/cache/swcatalog/cache/{,**} rw, + /var/log/cron-apt/temp w, owner /var/cache/app-info/{,**} rw, owner /var/cache/swcatalog/{,**} rw, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/appstream-cache-*.mdb rw, + owner @{user_cache_dirs}/appstream/ rw, + owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, + owner @{user_share_dirs}/mime/mime.cache r, + owner /tmp/appstream-cache-*.mdb rw, owner /tmp/appstream/ rw, owner /tmp/appstream/appcache-*.mdb rw, - /var/log/cron-apt/temp w, - owner @{PROC}/@{pid}/fd/ r, - # freedesktop.org-strict - /usr/share/applications/{,*.desktop} r, - /usr/share/mime/mime.cache r, - owner @{user_share_dirs}/mime/mime.cache r, + # File Inherit + deny network inet stream, + deny network inet6 stream, profile curl { include diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index acbf0866..a1b94b08 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -15,13 +15,13 @@ profile df @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mountinfo r, - /usr/share/icons/*/index.theme r, # For dir stats / r, /**/ r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 0cd743ae..bd0e934c 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -22,6 +22,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { @{PROC}/@{pids}/mountinfo r, + # File Inherit deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index c58b4d56..f5d68644 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -10,9 +10,12 @@ include profile firewalld @{exec_path} { include include + include + capability mknod, capability net_admin, capability net_raw, + capability setpcap, network inet raw, network inet6 raw, @@ -24,12 +27,14 @@ profile firewalld @{exec_path} { /{usr/,}{s,}bin/kmod rPx, /{usr/,}{s,}bin/xtables-legacy-multi rix, /{usr/,}{s,}bin/xtables-nft-multi rix, + /{usr/,}bin/false rix, /{usr/,}bin/alts rix, /usr/share/libalternatives/ r, /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, /etc/firewalld/{,**} r, + /etc/firewalld/zones/{,**} rw, /etc/iproute2/group r, /etc/iproute2/rt_realms r, @@ -41,6 +46,7 @@ profile firewalld @{exec_path} { @{PROC}/sys/kernel/modprobe r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/net/ip_tables_names r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 6bcceaca..d4a3d70d 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,31 +13,30 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - # Needed when run as root capability sys_admin, @{exec_path} mr, + /app/lib/libzypak-preload-host*.so rm, + + /usr/share/hwdata/pci.ids r, + /usr/share/misc/pci.ids r, + /usr/share/misc/pci.ids.gz r, + + /etc/modprobe.d/{,*.conf} r, + /etc/udev/hwdb.bin r, + + owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw, + owner @{HOME}/.pciids-cache rw, + @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/[0-9]*/address r, @{sys}/devices/pci[0-9]*/** r, - /usr/share/hwdata/pci.ids r, - /usr/share/misc/pci.ids r, - /usr/share/misc/pci.ids.gz r, - - /etc/udev/hwdb.bin r, - - /etc/modprobe.d/{,*.conf} r, - - owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw, - owner @{HOME}/.pciids-cache rw, - @{PROC}/cmdline r, - - # file_inherit @{PROC}/ioports r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index c7c6303b..a37c9efe 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -20,9 +20,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability kill, + capability mknod, capability net_admin, capability setgid, capability setuid, + capability sys_chroot, capability sys_nice, network inet stream, @@ -96,6 +98,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/touch rix, /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/arch-audit rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/systemd-inhibit rPx, @@ -128,9 +131,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/kernel/random/uuid r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + /dev/tty rw, + profile gpg { include include diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 6dda5025..0c099850 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -43,6 +43,7 @@ profile pass @{exec_path} { /{usr/,}bin/git rCx -> git, /{usr/,}bin/gpg{2,} rUx, + /{usr/,}bin/qdbus rCx -> qdbus, /{usr/,}bin/vim{,.*} rCx -> editor, /{usr/,}bin/wl-{copy,paste} rPx, /{usr/,}bin/xclip rPx, @@ -134,6 +135,14 @@ profile pass @{exec_path} { include if exists } + profile qdbus { + include + + /{usr/,}bin/qdbus mr, + + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index b0e25d97..8c47f645 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -16,6 +16,8 @@ profile pidof @{exec_path} { @{exec_path} mr, + /app/lib/libzypak-preload-host*.so rm, + @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index f6d1e7c5..205df15a 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -24,5 +24,7 @@ profile pwck @{exec_path} { /etc/shadow.[0-9]* rw, /etc/shadow.lock wl, + /etc/machine-id r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index b6c9db2f..da4c4c84 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -82,6 +82,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_vm_dirs}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/mount/utab r,