From 60cb62334ba3074352cb07ad8b2f81b99d9e441b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Mar 2022 18:22:57 +0000 Subject: [PATCH] Profile update. --- apparmor.d/groups/browsers/chromium-chromium | 3 ++- apparmor.d/groups/gnome/gjs-console | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gsd-media-keys | 6 +++--- apparmor.d/groups/gnome/nautilus | 5 +++-- apparmor.d/profiles-g-l/git | 3 +++ apparmor.d/profiles-g-l/kmod | 4 ++-- apparmor.d/profiles-m-r/pipewire-media-session | 15 +++------------ apparmor.d/profiles-s-z/usbguard-applet-qt | 1 - apparmor.d/profiles-s-z/xdg-desktop-portal | 5 ++++- apparmor.d/profiles-s-z/xdg-desktop-portal-gnome | 1 - apparmor.d/profiles-s-z/xdg-desktop-portal-gtk | 8 +++++++- 12 files changed, 28 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 457b4527..8a101064 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -43,9 +43,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/uid_map w, ptrace (trace) peer=@{profile_name}, - ptrace (read) peer=xdg-settings, + ptrace (read) peer=browserpass, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, + ptrace (read) peer=xdg-settings, signal (send) set=(term, kill) peer=keepassxc-proxy, signal (receive) peer=chromium-chrome-crashpad-handler, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 8458843b..0c0f2c3a 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -31,7 +31,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/gnome-shell/{,**} r, - /usr/share/themes/*/gtk-3.0/{,**} r, /usr/share/X11/xkb/** r, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8afb1c08..ffcb20ae 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{PROC}/zoneinfo r, /dev/ r, + /dev/media[0-9]* r, /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6bb57fc0..957211e3 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -20,9 +20,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, @@ -30,6 +27,9 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index dc958633..249fcd1e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -13,6 +13,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -27,11 +28,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { # Full access to user's data / r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/{,**} r, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, owner /tmp/{,**} rw, - # Silencer for non user's data + # Silence non user's data deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, deny /boot rw, deny /opt rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 545c41f4..624e77b0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -80,6 +80,8 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_cache_dirs}/**/.SRCINFO r, + owner @{user_cache_dirs}/**/.git/** r, owner /tmp/** rwkl -> /tmp/**, owner /tmp/**/bin/* rCx -> exec, @@ -96,6 +98,7 @@ profile git @{exec_path} { owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature owner /tmp/git-commit-msg-.txt rw, # For android studio + deny @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 177e41c4..722de7c3 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -42,9 +42,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/modules/*/modules.* rw, - /var/lib/dkms/**/module/*.ko r, + /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, - + /var/lib/dkms/**/module/*.ko r, /var/tmp/dracut.*/{,**} rw, @{sys}/module/{,**} r, diff --git a/apparmor.d/profiles-m-r/pipewire-media-session b/apparmor.d/profiles-m-r/pipewire-media-session index bf6e8873..43aa3c8a 100644 --- a/apparmor.d/profiles-m-r/pipewire-media-session +++ b/apparmor.d/profiles-m-r/pipewire-media-session @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2020 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/pipewire-media-session profile pipewire-media-session @{exec_path} { include + include include include @@ -21,25 +22,19 @@ profile pipewire-media-session @{exec_path} { @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, - /usr/share/alsa/{,**} r, /usr/share/pipewire/*.conf r, /usr/share/pipewire/media-session.d/{,**} r, /usr/share/spa-*/bluez[0-9]*/{,*} r, - /etc/alsa/{,**} r, /etc/pipewire/*.conf r, /etc/pipewire/media-session.d/*.conf r, - /etc/pulse/{,**} r, owner @{HOME}/.local/state/ rw, owner @{HOME}/.local/state/pipewire/{,**} rw, owner @{user_config_dirs}/pipewire/ rw, owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, - owner @{user_config_dirs}/pulse/cookie rwk, - owner @{run}/user/@{uid}/pulse/ rw, - @{run}/shm/ r, @{run}/udev/data/+sound:card[0-9]* r, # For sound @{run}/udev/data/c116:[0-9]* r, # for ALSA @@ -54,10 +49,6 @@ profile pipewire-media-session @{exec_path} { @{run}/systemd/users/@{uid} r, - /dev/shm/ r, - /dev/snd/controlC[0-9]* rw, - /dev/snd/pcmC[0-9]*D[0-9]*p rw, - /dev/snd/pcmC[0-9]*D[0-9]*c rw, /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index 85177f65..6654ef50 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -34,7 +34,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{run}/user/@{uid}/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw, owner @{PROC}/@{pid}/cmdline r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/core_pattern r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal index fe8fb032..93e59ab3 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/xdg-desktop-portal -profile xdg-desktop-portal @{exec_path} { +profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,9 @@ profile xdg-desktop-portal @{exec_path} { /{usr/,}lib/x r, + / r, + /.flatpak-info r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome index 9e8293e2..ea3124b3 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome @@ -17,7 +17,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk index d7e6a9d2..19fddd71 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk @@ -15,20 +15,26 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, / r, + owner @{HOME}/ r, + owner @{HOME}/.* r, owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, include owner @{run}/user/@{uid}/dconf/user rw, + @{run}/mount/utab r, + + owner @{PROC}/@{uid}/mountinfo r, + include if exists } \ No newline at end of file