diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index b18d939d..9a32f161 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -23,9 +23,10 @@ # Xauthority files required for X connections, per user owner @{HOME}/.Xauthority r, + owner /tmp/xauth_@{rand6} r, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, - @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 3f4c96bb..541e90fe 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -6,11 +6,11 @@ abi , # Root app location - / r, - /usr/ r, - @{bin}/ r, - @{bin}/[a-z0-9]* rPUx, - /usr/local/{s,}bin/ r, - /usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, + @{bin}/ r, + @{bin}/[a-z0-9]* rPUx, + / r, + /usr/ r, + /usr/local/{s,}bin/ r, + /usr/local/{s,}bin/[a-z0-9]* rPUx, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 4f137bd4..1dd9c724 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -7,9 +7,9 @@ # User app location / r, - /usr/ r, /{usr/,}bin/ r, /{usr/,}bin/[a-zA-Z0-9]* rPUx, + /usr/ r, /usr/local/bin/ r, /usr/local/bin/[a-zA-Z0-9]* rPUx, diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 27edb92c..9d707f74 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -2,10 +2,10 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-????????", - unix (bind, listen) type=stream addr="@/tmp/dbus-????????", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-??????????", + unix (bind, listen) type=stream addr="@/tmp/dbus-??????????", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"), + unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-??????????"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index ebe3ca39..dbc6afc8 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,22 +11,32 @@ # Use in this project: file browser and search engine - deny @{HOME}/.*_history rwlk, - deny @{HOME}/.*age*{,/{,**}} rwlk, - deny @{HOME}/.*aws*{,/{,**}} rwkl, - deny @{HOME}/.*cert*{,/{,**}} rwlk, - deny @{HOME}/.*key*{,/{,**}} rwlk, - deny @{HOME}/.*pass*{,/{,**}} rwlk, - deny @{HOME}/.*pki*{,/{,**}} rwlk, - deny @{HOME}/.*private*{,/{,**}} rwlk, - deny @{HOME}/.*secret*{,/{,**}} rwlk, - deny @{HOME}/.*yubi*{,/{,**}} rwlk, - deny @{HOME}/.lesshst* rwlk, - deny @{HOME}/.wget-hsts rwlk, - deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk, - deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, - deny @{user_config_dirs}/*-store/{,**} rwlk, - deny @{user_password_store_dirs}/{,**} rwlk, + deny @{HOME}/.*.bak mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*age*{,/{,**}} mrwkl, + deny @{HOME}/.*aws*{,/{,**}} mrwkl, + deny @{HOME}/.*cert*{,/{,**}} mrwkl, + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.*key*{,/{,**}} mrwkl, + deny @{HOME}/.*pass*{,/{,**}} mrwkl, + deny @{HOME}/.*pki*{,/{,**}} mrwkl, + deny @{HOME}/.*private*{,/{,**}} mrwkl, + deny @{HOME}/.*secret*{,/{,**}} mrwkl, + deny @{HOME}/.*yubi*{,/{,**}} mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.lesshst* mrwkl, + deny @{HOME}/.mozilla/{,**} mrwkl, + deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.thunderbird mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.wget-hsts mrwkl, + deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, + deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, + deny @{user_config_dirs}/*-store/{,**} mrwkl, + deny @{user_config_dirs}/chromium/{,**} mrwkl, + deny @{user_password_store_dirs}/{,**} mrwkl, # Deny executable mapping in writable space as allowed in abstractions/fonts deny @{HOME}/.{,cache/}fontconfig/ rw, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a710755f..95615ddc 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -6,6 +6,6 @@ /var/lib/gdm/.cache/ w, /var/lib/gdm/.cache/mesa_shader_cache/ rw, /var/lib/gdm/.cache/mesa_shader_cache/index rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, + /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw, + /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index 6ae3a7b2..b5a5ee52 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,4 +8,4 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, + /dev/char/195:@{int} rw, # Nvidia graphics devices diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index b314e739..3ca67f1d 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -1,19 +1,19 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# This abstraction is only required when an interactive shell is started. +# Classic bash scripts do not need it. + abi , + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, + /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, - @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - - /etc/zsh/zshenv r, - /etc/zsh/zshrc r, - /etc/zsh/zprofile r, - /etc/zsh/zlogin r, + /etc/zsh/* r, owner @{HOME}/.zshrc r, owner @{HOME}/.zshenv r, @@ -24,6 +24,8 @@ owner @{HOME}/.oh-my-zsh/log/update.lock/ w, owner @{HOME}/.zcompdump-* rw, + + owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, include if exists \ No newline at end of file