diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index a18ed14a..e7eda5c3 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -7,33 +7,18 @@ abi , include -@{DISCORD_LIBDIR} = /usr/share/discord -@{DISCORD_LIBDIR} += /usr/share/discord-ptb /opt/discord -@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord -@{DISCORD_HOMEDIR} += @{user_config_dirs}/discordptb -@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord +@{name} = discord +@{lib_dirs} = /usr/share/@{name} /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb +@{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} @{bin}/discord{,-ptb} +@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} profile discord @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include include - include - - signal (send) set=(kill, term) peer=@{profile_name}//lsb_release, - - # Needed for Game Activity - deny capability sys_ptrace, - deny ptrace (read), + include network inet dgram, network inet6 dgram, @@ -42,150 +27,18 @@ profile discord @{exec_path} { network netlink raw, @{exec_path} mrix, + @{sh_path} rix, - @{sh_path} rix, + @{open_path} rPx -> child-open-browsers, - @{bin}/xdg-open rCx -> open, - #@{bin}/lsb_release rCx -> lsb_release, - #@{bin}/xdg-mime rCx -> xdg-mime, - deny @{bin}/lsb_release mrx, - deny @{bin}/xdg-mime mrx, - - @{DISCORD_LIBDIR}/ r, - @{DISCORD_LIBDIR}/** r, - # @{DISCORD_LIBDIR}/**.so mr, - @{DISCORD_LIBDIR}/libEGL.so mr, - @{DISCORD_LIBDIR}/libGLESv2.so mr, - @{DISCORD_LIBDIR}/libffmpeg.so mr, - # @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr, - # @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr, - @{DISCORD_LIBDIR}/chrome-sandbox rPx, - - owner @{DISCORD_HOMEDIR}/ rw, - owner @{DISCORD_HOMEDIR}/** rwk, - owner @{DISCORD_HOMEDIR}/@{int}/modules/discord_[a-z]*/*.node mrwk, - owner @{DISCORD_HOMEDIR}/@{int}/modules/discord_[a-z]*/lib*.so.[0-9] mrw, - - # Reading of the /proc/ dir is needed to start discord. - # Otherwise it returns the following error: - # [:FATAL:proc_util.cc(36)] : Permission denied (13) - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/vmstat r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - deny @{PROC}/@{pids}/stat r, - # Needed to remove the following error: - # Error occurred in handler for 'DISCORD_PROCESS_UTILS_GET_MEMORY_INFO': [Error: Failed to - # create memory dump] - owner @{PROC}/@{pids}/statm r, - # - deny @{PROC}/@{pids}/cmdline r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - @{sys}/devices/@{pci}/irq r, - - deny /dev/ r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner /tmp/net-export/ rw, owner /tmp/discord.sock rw, owner "/tmp/Discord Crashes/" rw, - owner @{run}/user/@{uid}/discord-ipc-[0-9] rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile xdg-mime { - include - include - - @{bin}/xdg-mime mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cut rix, - @{bin}/{,e}grep rix, - @{bin}/head rix, - @{bin}/sed rix, - - # file_inherit - /usr/share/discord/** r, - owner /dev/shm/.org.chromium.Chromium.* rw, - owner @{user_config_dirs}/discord/GPUCache/data_[0-9] rw, - owner @{user_config_dirs}/discord/*/modules/discord_desktop_core/core.asar r, - owner @{user_config_dirs}/discord/GPUCache/index rw, - - } - - profile lsb_release { - include - include - include - - signal (receive) set=(kill, term) peer=discord, - - @{bin}/lsb_release r, - @{bin}/python3.@{int} r, - - @{bin}/ r, - @{bin}/apt-cache rPx, - - owner @{PROC}/@{pid}/fd/ r, - - /etc/debian_version r, - /etc/dpkg/origins/debian r, - /usr/share/distro-info/debian.csv r, - - # file_inherit - deny /usr/share/discord/** r, - deny owner /dev/shm/.org.chromium.Chromium.* rw, - deny owner @{user_config_dirs}/discord/GPUCache/data_[0-9] rw, - deny owner @{user_config_dirs}/discord/*/modules/discord_desktop_core/core.asar r, - deny owner @{user_config_dirs}/discord/GPUCache/index rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + owner @{run}/user/@{uid}/discord-ipc-@{int} rw, include if exists } diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 285f2aa2..da3a3db2 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -7,20 +7,17 @@ abi , include -@{lib_dirs} = @{lib}/freetube @{lib}/freetube-vue -@{lib_dirs} += /opt/FreeTube /opt/FreeTube-Vue +@{name} = {F,f}reetube{,-vue} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{lib_dirs}/freetube{,-vue} +@{exec_path} = @{lib_dirs}/@{name} profile freetube @{exec_path} { include include - include + include include - include - include - include - include - include include include @@ -32,43 +29,14 @@ profile freetube @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, - @{lib_dirs}/{swiftshader/,}libEGL.so mr, - @{lib_dirs}/chrome-sandbox rPx, - - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-strict, /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{HOME}/ r, - owner @{user_config_dirs}/FreeTube/ rw, - owner @{user_config_dirs}/FreeTube/** rwk, - owner @{run}/user/@{uid}/ r, - # The /proc/ dir is needed to avoid the following error: - # traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in - # freetube[56499b8a8000+531e000] - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - deny @{PROC}/@{pids}/stat r, - deny owner @{PROC}/@{pids}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pids}/oom_{,score_}adj r, - deny owner @{PROC}/@{pids}/oom_{,score_}adj w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - deny @{PROC}/vmstat r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index a4dbedec..4a9c3194 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -6,25 +6,15 @@ abi , include -@{exec_path} = /opt/Mullvad*/mullvad-gui +@{name} = Mullvad*VPN +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include - include - include - include - include - - capability sys_chroot, - capability sys_ptrace, - capability sys_admin, + include network inet stream, network inet6 stream, @@ -33,52 +23,25 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, + @{sh_path} rix, - "/opt/Mullvad VPN/*.so*" mr, - - @{sh_path} rix, - @{bin}/gsettings rix, - @{bin}/xdg-open rPx, - - "/opt/Mullvad VPN/{,**}" r, - /usr/share/themes/{,**} r, + @{bin}/gsettings rix, + @{open_path} rPx -> child-open-browsers, /etc/libva.conf r, /etc/igfx_user_feature{,_next}.txt w, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, owner @{user_cache_dirs}/dconf/user rw, - owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner /tmp/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, @{run}/systemd/inhibit/*.ref rw, - @{sys}/bus/pci/devices/ r, - @{sys}/devices/@{pci}/{vendor,device,class,config,resource,irq} r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/uid_map w, - /dev/tty rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, + deny /etc/machine-id r, + deny /var/lib/dbus/machine-id r, include if exists } diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 8aaf9eee..7fec2d04 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -6,21 +6,19 @@ abi , include +@{name} = {E,e}lement +@{lib_dirs} = @{lib}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + @{exec_path} = @{bin}/element-desktop profile element-desktop @{exec_path} { include include - include - include - include - include - include + include include - include include - capability sys_ptrace, - network inet dgram, network inet6 dgram, network inet stream, @@ -29,50 +27,19 @@ profile element-desktop @{exec_path} { @{exec_path} mr, - @{sh_path} r, - @{bin}/electron@{int} rix, - @{lib}/electron@{int}/{,**} r, - @{lib}/electron@{int}/electron rix, - @{lib}/element/{,**} r, - @{lib}/element/app.asar.unpacked/node_modules/**.node mr, - - @{open_path} rPx -> child-open, - - /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, - /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + @{open_path} rPx -> child-open-strict, /usr/share/webapps/element/{,**} r, - /etc/element/{,**} r, /etc/webapps/element/{,**} r, - owner @{user_config_dirs}/Element/ rw, - owner @{user_config_dirs}/Element/** rwkl -> @{user_config_dirs}/Element/**, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/status r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - /dev/tty rw, deny / r, deny @{HOME}/ r, deny @{user_share_dirs}/gvfs-metadata/* r, deny /etc/machine-id r, + deny /var/lib/dbus/machine-id r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index fee251d0..3ab0aa9b 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -16,12 +16,7 @@ include profile spotify @{exec_path} { include include - include - include - include - include - include - include + include network inet dgram, network inet6 dgram, @@ -33,10 +28,7 @@ profile spotify @{exec_path} { @{bin}/grep rix, - @{lib_dirs}/{,**} r, - @{lib_dirs}/*.so* mr, - - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-strict, /etc/machine-id r, /etc/spotify-adblock/* r, @@ -46,31 +38,8 @@ profile spotify @{exec_path} { owner @{user_config_dirs}/spotify-adblock/* r, - owner @{config_dirs}/ rw, - owner @{config_dirs}/** rwl -> @{config_dirs}/**, - owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - - owner @{cache_dirs}/ rw, - owner @{cache_dirs}/** rwk -> @{cache_dirs}/**, owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, - @{sys}/devices/virtual/dmi/id/product_{name,version} r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, /dev/tty rw,