From 64ad329dd9d81658ce778b596740397dc39013e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jan 2023 18:51:16 +0000 Subject: [PATCH] feat(profiles): Cleanup udev rules. --- apparmor.d/abstractions/devices-usb | 4 +-- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/freedesktop/pipewire | 5 ++-- apparmor.d/groups/freedesktop/plymouthd | 4 +-- apparmor.d/groups/freedesktop/pulseaudio | 4 +-- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gnome-control-center | 13 ++++++---- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/tracker-extract | 6 ++--- apparmor.d/groups/network/ModemManager | 7 +++--- apparmor.d/groups/systemd/systemd-journald | 15 ++++++----- apparmor.d/groups/systemd/systemd-logind | 26 +++++++++++--------- apparmor.d/profiles-a-f/fprintd | 4 ++- apparmor.d/profiles-a-f/fritzing | 2 +- apparmor.d/profiles-g-l/gzdoom | 8 +++--- apparmor.d/profiles-m-r/nvtop | 6 +++-- apparmor.d/profiles-m-r/obexautofs | 2 +- apparmor.d/profiles-s-z/steam | 8 +++--- apparmor.d/profiles-s-z/steam-game | 10 +++++--- apparmor.d/profiles-s-z/virt-manager | 7 ++++-- apparmor.d/profiles-s-z/wireplumber | 7 +++--- 21 files changed, 84 insertions(+), 60 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 01193953..69a8afb0 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -20,8 +20,8 @@ # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]* r, - @{run}/udev/data/c18[0,8,9]* r, + @{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems + @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters @{run}/udev/data/c8[0-9]:[0-9]* r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 0ded777b..72fbbf9b 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -18,7 +18,7 @@ # @{run}/udev/data/c81:[0-9]* r, # For video4linux - @{run}/udev/data/c189:[0-9]* r, # For /dev/bus/usb/** + @{run}/udev/data/c189:[0-9]* r, # For USB serial converters @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* @{run}/udev/data/+drm:* r, # For screen outputs #@{run}/udev/data/+pci:* r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 569a99e5..e3cf46f4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -61,8 +61,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, - @{run}/udev/data/c23[0-9]:[0-9]* r, - @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{run}/udev/data/c81:[0-9]* r, # For video4linux @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index aef30573..e4047f54 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -36,8 +36,8 @@ profile plymouthd @{exec_path} { @{run}/plymouth/{,**} rw, @{run}/udev/data/+drm:* r, - @{run}/udev/data/c226:* r, - @{run}/udev/data/c29:* r, + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c29:* r, # For /dev/fb[0-9]* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index afbbc2ef..6546086c 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -151,8 +151,8 @@ profile pulseaudio @{exec_path} { @{run}/systemd/users/@{uid} r, - @{run}/udev/data/+sound* r, - @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/+sound:card[0-9]* r, # For sound + @{run}/udev/data/c116:[0-9]* r, # for ALSA @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c8aea29c..3371324c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -124,7 +124,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+serio* r, # for touchpad? @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d3d9caae..465bc107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -151,12 +151,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/udev/data/+dmi:* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c23[0-9]:[0-9]* r, - @{run}/udev/data/c50[0-9]:[0-9]* r, - @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:[0-9]* r, + @{run}/udev/data/c5[0-9]*:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1f20035d..57264c75 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -604,7 +604,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/+i2c:* r, @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard - @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index c1a6cc53..df7fb9fd 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -102,9 +102,9 @@ profile tracker-extract @{exec_path} { @{run}/blkid/blkid.tab r, - @{run}/udev/data/c23[0-9]:[0-9]* r, - @{run}/udev/data/c50[0-9]:[0-9]* r, - @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{run}/mount/utab r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index faf588a2..ed875f65 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -52,9 +52,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, @{run}/udev/data/+usb:* r, - @{run}/udev/data/c189:[0-9]* r, - @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems + @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n[0-9]* r, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 03f02c4e..a111edf8 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -47,13 +47,16 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, - @{run}/udev/data/c1:[0-9]* r, - @{run}/udev/data/c10:[0-9]* r, # for /dev/tpm0 - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c1:[0-9]* r, # For RAM disk + @{run}/udev/data/c4:[0-9]* r, # For TTY devices + @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features + @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c4:[0-9]* r, - @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:[0-9]* r, + @{run}/udev/data/c5[0-9]*:[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 9dfa0725..6f56dfb9 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -82,20 +82,22 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/static_node-tags/uaccess/ r, @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs + @{run}/udev/data/+input* r, # For mouse, keyboard, touchpad @{run}/udev/data/+pci* r, - @{run}/udev/data/c10:[0-9]* r, - @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c14:[0-9]* r, - @{run}/udev/data/c21:[0-9]* r, - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features + @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c14:[0-9]* r, # Open Sound System (OSS) + @{run}/udev/data/c21:[0-9]* r, # Generic SCSI access + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* + @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c29:[0-9]* r, - @{run}/udev/data/c50[0-9]:[0-9]* r, - @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:[0-9]* r, + @{run}/udev/data/c5[0-9]*:[0-9]* r, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 7f649e24..68fb4455 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -41,7 +41,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, - @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index fe5bece9..c9325713 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -59,8 +59,8 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* /dev/ttyS[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/gzdoom b/apparmor.d/profiles-g-l/gzdoom index a2885966..246a84b8 100644 --- a/apparmor.d/profiles-g-l/gzdoom +++ b/apparmor.d/profiles-g-l/gzdoom @@ -87,9 +87,11 @@ profile gzdoom @{exec_path} { @{run}/udev/data/+sound:* r, @{run}/udev/data/+input:* r, - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c240:[0-9]* r, # For USB HID + @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index ff0bb994..43887f26 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -28,8 +28,10 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/*.ref r, @{run}/udev/data/+drm:* r, @{run}/udev/data/+pci* r, - @{run}/udev/data/c226:[0-9]* r, - @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index aec33a90..216b973f 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -34,7 +34,7 @@ profile obexautofs @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r, @{run}/udev/data/+usb:* r, - @{run}/udev/data/c189:* r, # for /dev/bus/usb/** + @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters /dev/bus/usb/ r, /dev/fuse rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index add45d99..c7282d1a 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -152,13 +152,15 @@ profile steam @{exec_path} { owner /tmp/sh-thd.* rw, owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, @{run}/udev/data/+pci* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/ r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index c7ed303c..6e91ddd8 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -185,12 +185,14 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /tmp/miles_image_* mr, owner /tmp/pressure-vessel-*/{,**} rwl, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c241:[0-9]* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9dec5c19..8bddcd19 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -87,8 +87,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, - @{run}/mount/utab r, - @{run}/udev/data/c51[0-9]:[0-9]* r, + + @{run}/mount/utab r, + @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:[0-9]* r, + @{run}/udev/data/c5[0-9]*:[0-9]* r, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/virtual/drm/ttm/uevent r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index ad8aa6ab..041a693a 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -36,9 +36,10 @@ profile wireplumber @{exec_path} { @{run}/udev/data/+sound:card[0-9]* r, # For sound @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c14:[0-9]* r, - @{run}/udev/data/c23[0-9]:[0-9]* r, - @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c14:[0-9]* r, # Open Sound System (OSS) + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, @{run}/udev/data/c81:[0-9]* r, # For video4linux @{sys}/bus/ r,