From 65d0cfafe4552be7a46498bc43560f9e063fc11a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 13:50:48 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/app/chromium | 1 + .../bus/org.freedesktop.RealtimeKit1 | 5 +++ apparmor.d/abstractions/common/app | 1 + apparmor.d/groups/bus/ibus-engine-simple | 6 +-- apparmor.d/groups/bus/ibus-extension-gtk3 | 1 + apparmor.d/groups/bus/ibus-memconf | 5 +++ .../groups/freedesktop/update-mime-database | 10 +++-- .../groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/gnome/deja-dup-monitor | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 9 ++-- apparmor.d/groups/gnome/gnome-clocks | 6 +++ apparmor.d/groups/gnome/gnome-control-center | 14 ++++++- .../gnome/gnome-control-center-print-renderer | 3 -- .../groups/gnome/gnome-disk-image-mounter | 1 + apparmor.d/groups/gnome/gnome-initial-setup | 9 +++- .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 + apparmor.d/groups/gnome/gnome-shell | 34 ++++++--------- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/goa-daemon | 1 + apparmor.d/groups/gnome/loupe | 3 ++ apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 + apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/groups/gvfs/gvfsd-dav | 6 +-- apparmor.d/groups/gvfs/gvfsd-mtp | 1 + apparmor.d/groups/gvfs/gvfsd-recent | 4 -- apparmor.d/groups/network/NetworkManager | 14 ++----- apparmor.d/groups/systemd/busctl | 5 ++- apparmor.d/groups/systemd/journalctl | 1 + apparmor.d/groups/systemd/zramctl | 23 +++++++++++ .../groups/ubuntu/check-new-release-gtk | 1 + .../groups/ubuntu/livepatch-notification | 1 + .../ubuntu/ubuntu-advantage-notification | 1 + apparmor.d/groups/ubuntu/update-notifier | 5 ++- apparmor.d/groups/virt/cockpit-session | 1 + apparmor.d/groups/virt/libvirtd | 3 +- apparmor.d/groups/virt/virtnodedevd | 2 + apparmor.d/profiles-a-f/borg | 5 +++ apparmor.d/profiles-a-f/fail2ban-server | 1 + apparmor.d/profiles-a-f/firewalld | 3 +- apparmor.d/profiles-a-f/fwupd | 1 + .../profiles-g-l/gdk-pixbuf-query-loaders | 2 + apparmor.d/profiles-g-l/hostapd | 2 +- apparmor.d/profiles-g-l/kanyremote | 41 +++++++------------ apparmor.d/profiles-g-l/losetup | 1 + apparmor.d/profiles-m-r/mdevctl | 4 +- apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-m-r/pinentry-gnome3 | 1 + apparmor.d/profiles-s-z/scrcpy | 1 + apparmor.d/profiles-s-z/snap | 17 ++++---- apparmor.d/profiles-s-z/tune2fs | 1 + apparmor.d/profiles-s-z/vlc | 4 +- 54 files changed, 169 insertions(+), 107 deletions(-) create mode 100644 apparmor.d/groups/systemd/zramctl diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 808f520a..4af0396c 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -113,6 +113,7 @@ /var/lib/dbus/machine-id r, /etc/machine-id r, + / r, owner @{HOME}/ r, owner @{HOME}/.pki/ rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index cd15e619..a4008970 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -22,4 +22,9 @@ member={MakeThreadRealtime,MakeThreadHighPriority} peer=(name=org.freedesktop.RealtimeKit1), + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member=MakeThreadRealtimeWithPID + peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index ed2ab952..a1180f97 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -18,6 +18,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 98c8c09b..f2a7b96e 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -10,22 +10,20 @@ include profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=term peer=ibus-daemon, unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 3b5b134d..58034848 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -12,6 +12,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 9e047b0d..dc7895ba 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -16,6 +16,11 @@ profile ibus-memconf @{exec_path} { signal (receive) set=(term) peer=ibus-daemon, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9f79b11c..85772f7e 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/update-mime-database -profile update-mime-database @{exec_path} { +profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include include @@ -17,9 +17,13 @@ profile update-mime-database @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} rw, + @{system_share_dirs}/mime/{,**} rw, - /dev/tty@{int} rw, + /var/lib/flatpak/app/**.xml r, + + owner @{user_share_dirs}/mime/{,**} rw, + + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, # Inherit silencer diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3a7223c1..1de8b250 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -31,6 +31,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/devices r, owner @{user_share_dirs}/flatpak/db/notifications rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index e5b48169..ce3da9bf 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -20,7 +20,7 @@ profile deja-dup-monitor @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions + #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index c5a0dded..27936849 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -12,7 +12,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include include - include include capability audit_write, @@ -46,16 +45,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, + #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=SetLanguage - peer=(name=:*, label=accounts-daemon), - @{exec_path} mrix, @{bin}/gnome-keyring-daemon rPx, @@ -99,6 +95,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/keyring/control rw, @{run}/gdm{3,}/custom.conf r, + @{run}/gdm{3,}/dbus/dbus-@{rand8} r, owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index e06a2dc3..8e3d5793 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,13 @@ include profile gnome-clocks @{exec_path} { include include + include + include + include include + include + + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 5deab3e7..6897a11d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,12 +14,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include include include include + include include network inet dgram, @@ -33,10 +36,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - dbus bus=accessibility, dbus bus=session, dbus bus=system, + #aa:dbus own bus=session name=org.gnome.Settings + + #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 09f49d42..0487cc76 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -21,9 +21,6 @@ profile gnome-control-center-print-renderer @{exec_path} { /usr/share/pixmaps/{,**} r, - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 044a780c..c30712f9 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -10,6 +10,7 @@ include profile gnome-disk-image-mounter @{exec_path} { include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 010f60cf..0e4c9a38 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -50,10 +50,15 @@ profile gnome-initial-setup @{exec_path} { /etc/security/pwquality.conf.d/{,**} r, /etc/timezone r, + /etc/gdm{,3}/custom.conf r, + + /var/log/installer/telemetry r, #aa:only ubuntu + owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{user_cache_dirs}/ubuntu-report/ w, - owner @{user_cache_dirs}/ubuntu-report/pending w, + #aa:only ubuntu + owner @{user_cache_dirs}/ubuntu-report/ rw, + owner @{user_cache_dirs}/ubuntu-report/* rw, owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 9555d914..051f0afd 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -10,6 +10,7 @@ include profile gnome-remote-desktop-daemon @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index df7560ec..59662566 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -111,6 +111,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open { include + include @{lib}/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a33062f5..8c69b6ac 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -89,6 +89,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -111,23 +112,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={RegisterWithCapabilities,Unregister} peer=(name=:*, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Can* - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/user/* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} @@ -333,16 +317,23 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/input/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/net/*/statistics/collisions r, + @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r, + @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r, @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/power_supply/{,**} r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/input@{int}/{properties,name} r, - @{sys}/devices/@{pci}/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, - @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/virtual/net/*/statistics/collisions r, + @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, + @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -360,6 +351,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + @{PROC}/vmstat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index dd69b647..362d1171 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -93,6 +93,7 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rwl, owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cc93faea..67d9d7c8 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index bab6f212..7bc843e5 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index e41f2e79..5975fb27 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -28,6 +28,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @@ -35,6 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index f0064865..0e9ace3b 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { # mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus + #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index fc8fba90..d78217b3 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -47,7 +47,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, + /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, + /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 98f35ea3..1b2ceb57 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -20,7 +20,7 @@ profile scdaemon @{exec_path} { @{exec_path} mr, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/reader_0.status rw, + owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 4e82b0aa..a39c23a4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,9 +11,10 @@ include profile gvfsd-dav @{exec_path} { include include + include include - include include + include include include @@ -25,9 +26,6 @@ profile gvfsd-dav @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/mime/mime.cache r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 95b036c0..2a1162de 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,6 +11,7 @@ include profile gvfsd-mtp @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 5628df1c..276dd802 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -31,16 +31,12 @@ profile gvfsd-recent @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - # Full access to user's data owner @{HOME}/{,**} rw, owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 271805b7..038105d8 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -16,7 +16,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include include include @@ -44,6 +43,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher + #aa:dbus talk bus=system name=org.freedesktop.resolve1.Manager label=systemd-resolved + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -69,16 +71,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=InterfacesAdded peer=(name=org.freedesktop.DBus, label=nm-online), - dbus send bus=system path=/org/freedesktop/nm_dispatcher - interface=org.freedesktop.nm_dispatcher - member=Action - peer=(name=org.freedesktop.nm_dispatcher), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 2ee18a27..18a2c634 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,11 +9,13 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} { include + include include include + include + include include include - include capability net_admin, capability sys_ptrace, @@ -24,6 +26,7 @@ profile busctl @{exec_path} { signal (send) set=(cont) peer=child-pager, + dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, dbus eavesdrop bus=system, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 490293a9..e8659803 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -38,6 +38,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/systemd/zramctl new file mode 100644 index 00000000..717987e3 --- /dev/null +++ b/apparmor.d/groups/systemd/zramctl @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/zramctl +profile zramctl @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/disksize r, + + /dev/ r, + /dev/zram@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 745ef81d..a8364160 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -13,6 +13,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index ab36ad95..06189146 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 94600068..5c12fc65 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 229fc6e0..54b347b3 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,13 +9,14 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include - include include include include include include + include include + include include include include @@ -32,7 +33,7 @@ profile update-notifier @{exec_path} { dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu} interface=org.freedesktop.DBus.Properties - member=GetAll + member=={Get,GetAll} peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu interface=com.canonical.dbusmenu diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index db0aee66..c2dd0f85 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -31,6 +31,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{etc_ro}/security/limits.d/{,*.conf} r, /etc/cockpit/disallowed-users r, /etc/group r, + /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, /etc/shells r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c4917e65..2a75035e 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -66,10 +66,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { mount options=(rw, move) @{run}/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) @{run}/libvirt/qemu/*{,/} -> /dev/**, - ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=libvirt-@{uuid}, + ptrace (read,trace) peer=libvirt-dbus, + ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=virt-manager, signal (read,send) peer=libvirt-@{uuid}, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 6291f5c8..da331675 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -61,9 +61,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index d4462805..5d6e4301 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -70,6 +70,7 @@ profile borg @{exec_path} { owner /tmp/tmp*/ rw, owner /tmp/tmp*/file rw, owner /tmp/tmp*/idx rw, + owner /var/lib/libuuid/clock.txt w, owner /var/tmp/* rw, owner /var/tmp/tmp*/ rw, owner /var/tmp/tmp*/file rw, @@ -97,10 +98,14 @@ profile borg @{exec_path} { profile fusermount { include + include include capability sys_admin, + mount fstype=fuse borgfs -> @{MOUNTS}/, + mount fstype=fuse borgfs -> @{MOUNTS}/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index e7b81e84..f023a04b 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -31,6 +31,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { /var/lib/fail2ban/fail2ban.sqlite3 rwk, /var/log/auth.log r, /var/log/fail2ban.log w, + /var/log/journal/@{hex32}/system.journal r, @{run}/fail2ban/fail2ban.pid rw, @{run}/fail2ban/fail2ban.sock rw, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 3c53688a..4e40ab10 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -59,8 +59,7 @@ profile firewalld @{exec_path} { /usr/share/libalternatives/ebtables*/{,*} r, /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, - /etc/firewalld/{,**} r, - /etc/firewalld/zones/{,**} rw, + /etc/firewalld/{,**} rw, /etc/iproute2/group r, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ee7dce12..57e00650 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,6 +62,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /etc/pki/fwupd/{,**} r, /var/cache/fwupd/{,**} rw, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index c02fdfb4..ad4a8d4c 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -11,6 +11,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} { include include + capability dac_read_search, + network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-g-l/hostapd b/apparmor.d/profiles-g-l/hostapd index 3e92b0a4..a57a22a7 100644 --- a/apparmor.d/profiles-g-l/hostapd +++ b/apparmor.d/profiles-g-l/hostapd @@ -5,7 +5,7 @@ abi , include -@{exec_path} = /{,usr/}{,s}bin/hostapd +@{exec_path} = @{bin}/hostapd profile hostapd @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 882f504b..cf6503be 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -11,19 +11,14 @@ include profile kanyremote @{exec_path} { include include - include - include - include - include - include + include include - include + include + include include - include - include - include include include + include network inet stream, network inet6 stream, @@ -52,33 +47,26 @@ profile kanyremote @{exec_path} { @{bin}/pactl rPUx, # Players - @{bin}/smplayer rPUx, @{bin}/amarok rPUx, - @{bin}/vlc rPUx, @{bin}/mpv rPUx, + @{bin}/smplayer rPUx, @{bin}/strawberry rPUx, - - owner @{HOME}/ r, - owner @{HOME}/.anyRemote/{,*} rw, + @{bin}/vlc rPUx, /usr/share/anyremote/{,**} r, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - - /dev/shm/#@{int} rw, - - /usr/share/hwdata/pnp.ids r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - # Doc dirs - deny /usr/local/share/ r, - deny /usr/share/ r, - deny /usr/share/doc/ r, - /usr/share/doc/anyremote{,-data}/ r, + owner @{HOME}/ r, + owner @{HOME}/.anyRemote/{,**} rw, + owner @{user_config_dirs}/anyRemote/{,**} rw, + + owner /dev/shm/#@{int} rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, profile killall { include @@ -97,6 +85,7 @@ profile kanyremote @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/stat r, + include if exists } profile pgrep { diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index 17c36b0b..8c62398e 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/losetup profile losetup @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 8c7daaa5..4f1c54ac 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -14,11 +14,11 @@ profile mdevctl @{exec_path} { /etc/mdevctl.d/{,**} r, - @{PROC}/@{pids}/maps r, - @{sys}/bus/mdev/devices/ r, @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, + @{PROC}/@{pids}/maps r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index a774b453..4e19b6ad 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -125,6 +125,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index 81e4dd32..5da9358b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include signal (receive) set=(int) peer=gpg-agent, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 6e06e6b1..711cd73a 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -10,6 +10,7 @@ include profile scrcpy @{exec_path} { include include + include include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index c16d75d3..6eb60c47 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -83,15 +83,16 @@ profile snap @{exec_path} { @{run}/snapd.socket rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/ r, + @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/cgroups r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/version r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 4e23fd8e..192fff84 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/{tune2fs,e2label} profile tune2fs @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 4cef1f2e..a457d6c8 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -26,7 +26,7 @@ profile vlc @{exec_path} { include include include - include + include include include @@ -71,6 +71,8 @@ profile vlc @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{run}/mount/utab r, + /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r,