From 683bfed4addde2a13ba52a3d9e089b4411f2f1df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 00:14:07 +0100 Subject: [PATCH] feat(profile): modernise some profiles. --- apparmor.d/groups/apps/calibre | 10 +-- apparmor.d/groups/apps/flameshot | 65 +++------------ apparmor.d/groups/apps/telegram-desktop | 97 ++++------------------ apparmor.d/profiles-a-f/birdtray | 73 +++++------------ apparmor.d/profiles-g-l/keepassxc | 2 - apparmor.d/profiles-m-r/megasync | 85 +++++-------------- apparmor.d/profiles-m-r/minitube | 99 +++++++---------------- apparmor.d/profiles-m-r/psi | 66 +++------------ apparmor.d/profiles-m-r/psi-plus | 65 +++------------ apparmor.d/profiles-m-r/qbittorrent-nox | 56 ++++++------- apparmor.d/profiles-m-r/qnapi | 51 +++--------- apparmor.d/profiles-m-r/qpdfview | 18 ++--- apparmor.d/profiles-m-r/qt5ct | 27 ++----- apparmor.d/profiles-s-z/scrot | 11 +-- apparmor.d/profiles-s-z/strawberry | 103 +++++++----------------- 15 files changed, 197 insertions(+), 631 deletions(-) diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index fe3867af..f252e634 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -20,17 +20,12 @@ profile calibre @{exec_path} { include include include + include include include - include - include - include - include + include include - include - include include - include include include include @@ -66,7 +61,6 @@ profile calibre @{exec_path} { @{bin}/xdg-mime rPx, /usr/share/calibre/{,**} r, - /usr/share/hwdata/pnp.ids r, /etc/fstab r, /etc/inputrc r, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d4d16144..4e7971cd 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -10,20 +10,15 @@ include @{exec_path} = @{bin}/flameshot profile flameshot @{exec_path} { include - include - include - include + include include - include - include - include - include + include + include include include + include include include - include - include network inet dgram, network inet6 dgram, @@ -36,58 +31,24 @@ profile flameshot @{exec_path} { @{bin}/whoami rix, - @{bin}/xdg-open rCx -> open, - - # Flameshot home files - owner @{user_config_dirs}/flameshot/ rw, - owner @{user_config_dirs}/flameshot/flameshot.ini rw, - owner @{user_config_dirs}/flameshot/#@{int} rw, - owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int}, - owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk, + @{open_path} rPx -> child-open-help, /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/flameshot/ rw, + owner @{user_config_dirs}/flameshot/** rwlk -> @{user_config_dirs}/flameshot/**, owner @{tmp}/.*/{,s} rw, owner @{tmp}/*= rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner /dev/shm/#@{int} rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /dev/shm/#@{int} rw, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 6b9fbdf7..add8fa0d 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -7,28 +7,19 @@ abi , include -@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram - @{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include + include + include + include + include include include include - include - include - include - include + include network inet dgram, network inet6 dgram, @@ -41,80 +32,26 @@ profile telegram-desktop @{exec_path} { @{sh_path} rix, - # Launch external apps - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, - # What's this for? - deny @{bin}/fc-list rx, - - # Telegram files /usr/share/TelegramDesktop/{,**} r, - # Download dir - owner @{TELEGRAM_WORK_DIR}/ rw, - owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int}, - - # Telegram's profile (via telegram -many -workdir ~/some/dir/) - #owner @{TELEGRAM_WORK_DIR}/{,**} rw, - - # Autostart - owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - - owner @{tmp}/@{hex}-* rwk, - owner @{run}/user/@{uid}/@{hex}-* rwk, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - /etc/fstab r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, - @{bin}/geany rPx, + owner @{tmp}/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, + owner /dev/shm/#@{int} rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{TELEGRAM_WORK_DIR}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/qpdfview rPx, - @{bin}/viewnior rPUx, - @{bin}/geany rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 9104e400..972ee380 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -10,16 +10,11 @@ include @{exec_path} = @{bin}/birdtray profile birdtray @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include include network inet dgram, @@ -28,20 +23,13 @@ profile birdtray @{exec_path} { @{exec_path} mr, - # To be able to start Thunderbird - @{bin}/thunderbird rPx, - - @{bin}/xdg-open rCx -> open, + @{bin}/thunderbird rPx, + @{open_path} rPx -> child-open, /usr/share/ulduzsoft/birdtray/{,**} r, - owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, - - owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, - - owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, + /var/lib/dbus/machine-id r, + /etc/machine-id r, # Thunderbird mail dirs owner @{HOME}/ r, @@ -51,47 +39,22 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r, owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/ulduzsoft/ rw, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + + owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, + + owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, /dev/shm/#@{int} rw, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index ad6fe04a..aeb155df 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -42,8 +42,6 @@ profile keepassxc @{exec_path} { /usr/share/keepassxc/{,**} r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 35754db8..8f30c0c8 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -11,19 +11,14 @@ include profile megasync @{exec_path} { include include - include - include - include - include + include include - include - include + include include - include include include - include include + include network inet dgram, network inet6 dgram, @@ -40,71 +35,29 @@ profile megasync @{exec_path} { @{bin}/xrdb rPx, @{bin}/xdg-mime rPx, - @{bin}/xdg-open rCx -> open, - - # Megasync home files - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/" rw, - owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", - - owner @{user_config_dirs}/QtProject.conf r, - - # Sync folder - owner @{user_sync_dirs}/ r, - owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, - - # Proc filesystem - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - # Autostart - owner @{user_config_dirs}/autostart/#@{int} rw, - owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - - /dev/shm/#@{int} rw, + @{open_path} rPx -> child-open, /etc/machine-id r, /var/lib/dbus/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{HOME}/ r, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, + owner @{user_config_dirs}/autostart/#@{int} rw, + owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - # file_inherit + owner "@{user_share_dirs}/data/Mega Limited/" rw, + owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", + + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, - - # file_inherit - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw, - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 62fd0ab9..e8e07ef4 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -10,18 +10,14 @@ include @{exec_path} = @{bin}/minitube profile minitube @{exec_path} { include - include - include - include - include - include - include - include include + include + include + include + include include - include - include include + include include include @@ -34,18 +30,33 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Minitube home files + # Be able to turn off the screensaver while playing movies + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + + @{open_path} rPx -> child-open, + + /usr/share/minitube/{,**} r, + + /etc/vdpau_wrapper.cfg r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/vlcsnap-.png rw, + + owner "@{user_cache_dirs}/Flavio Tordini/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + owner "@{user_config_dirs}/Flavio Tordini/" rw, owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}", owner "@{user_share_dirs}/Flavio Tordini/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, - # Snapshot owner @{user_pictures_dirs}/*.png rw, - owner @{HOME}/vlcsnap-.png rw, - /usr/share/minitube/{,**} r, + owner @{tmp}/qtsingleapp-minitu-* rw, + owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, @@ -53,65 +64,13 @@ profile minitube @{exec_path} { # owner @{tmp}/#@{int} mrw, # owner @{tmp}/.glvnd* mrw, - # Cache - owner @{user_cache_dirs}/ rw, - owner "@{user_cache_dirs}/Flavio Tordini/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, - deny /dev/ r, - /dev/shm/#@{int} rw, - - /etc/vdpau_wrapper.cfg r, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/core_pattern r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # TMP - owner @{tmp}/qtsingleapp-minitu-* rw, - owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, - - @{bin}/xdg-open rCx -> open, - - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - profile xdg-screensaver { include include @@ -133,6 +92,8 @@ profile minitube @{exec_path} { /dev/dri/card@{int} rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 745f1f39..84ae5b1b 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -11,21 +11,16 @@ include profile psi @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi/{,**} r, /etc/debian_version r, @@ -51,8 +45,6 @@ profile psi @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, - owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, @@ -64,18 +56,17 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -95,42 +86,7 @@ profile psi @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 2b619815..e1f78a45 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -11,21 +11,16 @@ include profile psi-plus @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi-plus @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi-plus/{,**} r, /etc/debian_version r, @@ -62,19 +56,17 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -94,42 +86,7 @@ profile psi-plus @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 463715e1..b6e292a0 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include + include include include @@ -22,48 +23,37 @@ profile qbittorrent-nox @{exec_path} { @{exec_path} mr, - # Qbittorrent home dirs - owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, - owner @{user_share_dirs}/qBittorrent/ rw, - owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, - # Old dir, not recommended to use: - deny owner @{user_share_dirs}/data/qBittorrent/ rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, - # Cache dir owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, + owner @{user_config_dirs}/qBittorrent/ rw, + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, + owner @{user_share_dirs}/qBittorrent/ rw, + owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, - /dev/disk/by-label/ r, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/mime/mime.cache r, - /usr/share/mime/types r, - owner @{user_share_dirs}/mime/mime.cache r, - owner @{user_share_dirs}/mime/types r, - - # TMP - owner @{tmp}/qtsingleapp-qBitto-* rw, - owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/.*/{,s} rw, owner @{tmp}/.qBittorrent/ rw, owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner @{tmp}/mozilla_*/*.torrent rw, owner @{tmp}/*.torrent rw, - owner @{tmp}/.*/{,s} rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/disk/by-label/ r, + /dev/shm/#@{int} rw, + + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 61d6276b..712750a3 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/qnapi profile qnapi @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include - include network inet dgram, network inet6 dgram, @@ -39,12 +34,10 @@ profile qnapi @{exec_path} { @{bin}/7z rix, @{lib}/p7zip/7z rix, - @{bin}/ffprobe rPx, - @{bin}/xdg-open rCx -> open, + @{bin}/ffprobe rPx, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPx, - /usr/share/hwdata/pnp.ids r, - /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -60,8 +53,6 @@ profile qnapi @{exec_path} { owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int}, - owner @{user_cache_dirs}/ rw, - /tmp/ r, owner @{tmp}/@{hex}.* rw, owner @{tmp}/** rw, @@ -73,37 +64,13 @@ profile qnapi @{exec_path} { owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, owner @{tmp}/QNapi.@{int} rw, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner /dev/shm/#@{int} rw, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner /dev/tty@{int} rw, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index fca31ff6..2ced9351 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -10,19 +10,14 @@ include @{exec_path} = @{bin}/qpdfview profile qpdfview @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include include - include @{exec_path} mr, @@ -34,7 +29,6 @@ profile qpdfview @{exec_path} { @{lib}/firefox/firefox rPUx, @{open_path} rPx -> child-open, - /usr/share/hwdata/pnp.ids r, /usr/share/poppler/** r, /usr/share/djvu/** r, @@ -60,10 +54,10 @@ profile qpdfview @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index f17f2a83..3d4d73bb 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -10,19 +10,17 @@ include @{exec_path} = @{bin}/qt5ct profile qt5ct @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include @{exec_path} mr, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/qt5ct/ rw, owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int}, @@ -35,19 +33,8 @@ profile qt5ct @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - /usr/share/qt5ct/** r, - - /usr/share/xsessions/{,*.desktop} r, - + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, - @{PROC}//sys/kernel/random/boot_id r, - - /etc/X11/cursors/*.theme r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index e2fd09d1..f423775f 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/scrot profile scrot @{exec_path} { include + include include @{exec_path} mr, @@ -21,16 +22,10 @@ profile scrot @{exec_path} { # The image dir owner @{HOME}/*.png rw, - owner @{HOME}/.Xauthority r, - - /dev/shm/#@{int} rw, - - owner @{HOME}/.icons/default/index.theme r, - /usr/share/icons/*/index.theme r, - /usr/share/icons/*/cursors/* r, - # file_inherit owner @{HOME}/.xsession-errors w, + /dev/shm/#@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 9852d56b..efb32611 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -10,22 +10,18 @@ include @{exec_path} = @{bin}/strawberry profile strawberry @{exec_path} { include - include - include - include - include - include - include - include - include include - include + include + include + include + include + include + include + include include include - include include - include - include + include signal (send) set=(term, kill) peer=strawberry-tagreader, @@ -42,88 +38,45 @@ profile strawberry @{exec_path} { @{bin}/strawberry-tagreader rPx, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-help, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/ r, - # Media library owner @{user_music_dirs}/ r, owner @{user_music_dirs}/** rw, - # Playlists - owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, - owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw, - - owner @{HOME}/ r, owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/strawberry/ rw, owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int}, owner @{user_cache_dirs}/xine-lib/ rw, owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, + owner @{tmp}/.*/ rw, + owner @{tmp}/.*/s rw, + owner @{tmp}/*= w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, + owner @{tmp}/strawberry*[0-9] w, + owner /dev/shm/#@{int} rw, @{run}/mount/utab r, - /etc/fstab r, - - /dev/shm/#@{int} rw, - /dev/sr[0-9]* r, - - owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, - owner @{tmp}/.*/ rw, - owner @{tmp}/.*/s rw, - owner @{tmp}/strawberry*[0-9] w, - owner @{tmp}/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, - owner @{tmp}/#@{int} rw, - owner @{tmp}/*= w, - - owner /var/tmp/etilqs_@{hex} rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.anyRemote/anyremote.stdout w, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists }