From 64d8379375702e6b9282884b3af69e4f2dd73b96 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 5 Apr 2021 13:15:52 +0100 Subject: [PATCH] Global profile update. --- apparmor.d/groups/browsers/chrome-gnome-shell | 3 +++ apparmor.d/groups/gnome/gnome-keyring-daemon | 2 ++ apparmor.d/groups/gnome/gsd-xsettings | 1 + apparmor.d/groups/network/NetworkManager | 7 ++++++- apparmor.d/groups/systemd/systemd-tmpfiles | 3 +++ apparmor.d/profiles-a-l/browserpass | 3 +++ apparmor.d/profiles-a-l/git | 2 ++ apparmor.d/profiles-m-z/udisksd | 2 +- apparmor.d/profiles-m-z/wpa-supplicant | 3 +-- 9 files changed, 22 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 78fdd760..e779d842 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -21,7 +21,10 @@ profile chrome-gnome-shell @{exec_path} { network netlink raw, @{exec_path} mr, + + /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* r, + owner @{user_lib_dirs}/python3.9/site-packages/ r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index be7998f3..6ae9e112 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -16,6 +16,8 @@ profile gnome-keyring-daemon @{exec_path} { # gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used capability ipc_lock, + signal (send) set=(term) peer=ssh-agent, + @{exec_path} mr, /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index f2d73b13..a490cb13 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -38,6 +38,7 @@ profile gsd-xsettings @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /dev/dri/ r, + /dev/dri/renderD[0-9]* rw, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d6d31fb6..e6adfc7a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -41,6 +41,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/{,ba,da}sh rix, + / r, /etc/ r, /etc/resolv.conf rw, /etc/resolv.conf.[0-9A-Z]* rw, @@ -70,9 +71,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci* r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,*} r, + @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 5841b421..bf032621 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -13,6 +13,7 @@ profile systemd-tmpfiles @{exec_path} { include capability dac_read_search, + capability net_admin, capability fsetid, capability mknod, capability fowner, @@ -33,11 +34,13 @@ profile systemd-tmpfiles @{exec_path} { # Where the tmpfiles can be created, /{,*} rw, + /home/ rw, /dev/{,**} rw, /var/{,**} rwk, /run/{,**} rw, /tmp/{,**} rwk, /srv/{,**} rw, + /etc/{,**} r, @{run}/systemd/userdb/ r, @{sys}/devices/system/cpu/microcode/reload w, diff --git a/apparmor.d/profiles-a-l/browserpass b/apparmor.d/profiles-a-l/browserpass index 9e6175c3..3c73797f 100644 --- a/apparmor.d/profiles-a-l/browserpass +++ b/apparmor.d/profiles-a-l/browserpass @@ -27,5 +27,8 @@ profile browserpass @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{user_share_dirs}/gvfs-metadata/home r, + @{user_share_dirs}/gvfs-metadata/home-*.log r, + include if exists } diff --git a/apparmor.d/profiles-a-l/git b/apparmor.d/profiles-a-l/git index f5204c3e..836bf678 100644 --- a/apparmor.d/profiles-a-l/git +++ b/apparmor.d/profiles-a-l/git @@ -25,6 +25,7 @@ profile git @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mrix, @@ -114,6 +115,7 @@ profile git @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, /{usr/,}bin/ssh mr, diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index 67e2ca91..8afd1367 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -124,7 +124,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/udisks2/mounted-fs{,.*} rw, @{run}/systemd/seats/seat[0-9]* r, - + @{run}/systemd/inhibit/[0-9]*.ref rw, profile systemd-escape { include diff --git a/apparmor.d/profiles-m-z/wpa-supplicant b/apparmor.d/profiles-m-z/wpa-supplicant index 54f72c2f..18228730 100644 --- a/apparmor.d/profiles-m-z/wpa-supplicant +++ b/apparmor.d/profiles-m-z/wpa-supplicant @@ -25,9 +25,8 @@ profile wpa-supplicant @{exec_path} { # remove this file before starting wpa_supplicant again. capability chown, - # Needed? (#FIXME#) capability fsetid, - audit deny capability sys_module, + capability sys_module, network packet raw, network packet dgram,