diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash index a8c7085e..4d9adca1 100644 --- a/apparmor.d/abstractions/trash +++ b/apparmor.d/abstractions/trash @@ -75,4 +75,4 @@ owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/ rw, owner /{media,mnt}/*/*/.Trash-[0-9]*/expunged/[0-9]*/** rw, - include if exists \ No newline at end of file + include if exists diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index 00d92467..1af8c2b5 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -81,6 +81,7 @@ profile discord @{exec_path} { owner @{PROC}/@{pid}/fd/ r, deny @{PROC}/vmstat r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/clear_refs w, owner @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 07877d98..12304364 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dpkg-architecture profile dpkg-architecture @{exec_path} { include + include include @{exec_path} r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index b9687953..247ca5a9 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -84,6 +84,7 @@ profile cron @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate new file mode 100644 index 00000000..f675cabc --- /dev/null +++ b/apparmor.d/groups/cron/cron-plocate @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/plocate +profile cron-plocate @{exec_path} { + include + include + + @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/which rix, + /{usr/,}bin/true rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/nocache rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + + /{usr/,}sbin/updatedb.plocate rPx, + /{usr/,}sbin/on_ac_power rPx, + + @{run}/plocate.daily.lock rwk, + + include if exists +} diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms index c0014a6f..a166ee29 100644 --- a/apparmor.d/profiles-a-l/dkms +++ b/apparmor.d/profiles-a-l/dkms @@ -81,6 +81,7 @@ profile dkms @{exec_path} { owner /tmp/dkms.*/ rw, owner /tmp/tmp.* rw, owner /tmp/sh-thd.* rw, + owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-l/dnscrypt-proxy b/apparmor.d/profiles-a-l/dnscrypt-proxy index d3a26ed2..881386d6 100644 --- a/apparmor.d/profiles-a-l/dnscrypt-proxy +++ b/apparmor.d/profiles-a-l/dnscrypt-proxy @@ -26,6 +26,7 @@ profile dnscrypt-proxy @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-l/ifconfig b/apparmor.d/profiles-a-l/ifconfig index c696dd59..8f5d0cf0 100644 --- a/apparmor.d/profiles-a-l/ifconfig +++ b/apparmor.d/profiles-a-l/ifconfig @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/ifconfig profile ifconfig @{exec_path} { include + include include # To be able to manage network interfaces. diff --git a/apparmor.d/profiles-m-z/mount b/apparmor.d/profiles-m-z/mount index d0b541e1..bebd4a12 100644 --- a/apparmor.d/profiles-m-z/mount +++ b/apparmor.d/profiles-m-z/mount @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/mount profile mount @{exec_path} flags=(complain) { include + include include include diff --git a/apparmor.d/profiles-m-z/pam-auth-update b/apparmor.d/profiles-m-z/pam-auth-update index 01f898ed..4fee40ff 100644 --- a/apparmor.d/profiles-m-z/pam-auth-update +++ b/apparmor.d/profiles-m-z/pam-auth-update @@ -16,6 +16,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /{usr/,}bin/perl r, /{usr/,}bin/md5sum rix, + /{usr/,}bin/cp rix, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, diff --git a/apparmor.d/profiles-m-z/plocate b/apparmor.d/profiles-m-z/plocate new file mode 100644 index 00000000..832deaa3 --- /dev/null +++ b/apparmor.d/profiles-m-z/plocate @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/plocate +profile plocate @{exec_path} { + include + + # For running as root + capability dac_read_search, + capability setgid, + + @{exec_path} mr, + + /var/lib/plocate/plocate.db r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/plocate-build b/apparmor.d/profiles-m-z/plocate-build new file mode 100644 index 00000000..a26157b8 --- /dev/null +++ b/apparmor.d/profiles-m-z/plocate-build @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}sbin/plocate-build +profile plocate-build @{exec_path} { + include + + @{exec_path} mr, + + /var/lib/mlocate/mlocate.db r, + + /var/lib/mlocate/#[0-9]* rw, + /var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#[0-9]*, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/sudo b/apparmor.d/profiles-m-z/sudo index 92c712a8..65289d58 100644 --- a/apparmor.d/profiles-m-z/sudo +++ b/apparmor.d/profiles-m-z/sudo @@ -28,6 +28,9 @@ profile sudo @{exec_path} { # To write records to the kernel auditing log. capability audit_write, + # For changing ownership of the /var/log/sudo.log file + capability chown, + # Needed? (#FIXME#) capability sys_resource, capability net_admin, @@ -55,6 +58,7 @@ profile sudo @{exec_path} { /{usr/,}{s,}bin/[a-z0-9]* rPUx, /dev/ r, + /dev/ptmx rw, # For timestampdir owner @{run}/sudo/ rw, @@ -72,6 +76,8 @@ profile sudo @{exec_path} { /etc/environment r, /etc/security/limits.d/{,*} r, + /var/log/sudo.log wk, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-z/thinkfan b/apparmor.d/profiles-m-z/thinkfan index 58c99fb0..6a9e5237 100644 --- a/apparmor.d/profiles-m-z/thinkfan +++ b/apparmor.d/profiles-m-z/thinkfan @@ -15,9 +15,9 @@ profile thinkfan @{exec_path} { /etc/thinkfan.conf r, /etc/thinkfan.yaml r, - @{sys}/devices/platform/**/hwmon/**/pwm[0-9]* rw, - @{sys}/devices/platform/**/hwmon/**/pwm[0-9]*_enable rw, - @{sys}/devices/platform/**/hwmon/**/temp[0-9]*_input r, + @{sys}/devices/**/hwmon/**/pwm[0-9]* rw, + @{sys}/devices/**/hwmon/**/pwm[0-9]*_enable rw, + @{sys}/devices/**/hwmon/**/temp[0-9]*_input r, @{PROC}/acpi/ibm/thermal r, @{PROC}/acpi/ibm/fan rw, diff --git a/apparmor.d/profiles-m-z/umount b/apparmor.d/profiles-m-z/umount index f9f3e576..fa9d25ac 100644 --- a/apparmor.d/profiles-m-z/umount +++ b/apparmor.d/profiles-m-z/umount @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/umount profile umount @{exec_path} flags=(complain) { include + include include # To be able to umount anything diff --git a/apparmor.d/profiles-m-z/updatedb.plocate b/apparmor.d/profiles-m-z/updatedb.plocate new file mode 100644 index 00000000..4a551ca3 --- /dev/null +++ b/apparmor.d/profiles-m-z/updatedb.plocate @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}sbin/updatedb.plocate +profile updatedb.plocate @{exec_path} { + include + include + + capability dac_read_search, + capability chown, + capability fowner, + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + /etc/updatedb.conf r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /var/lib/plocate/plocate.db rw, + /var/lib/plocate/#[0-9]* rw, + /var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#[0-9]*, + + / r, + /**/ r, + + # file_inherit + @{run}/plocate.daily.lock r, + + include if exists +}