From 68fbd81e17ebc0c4607f2dad4feb8213d7ca47e7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Mar 2024 21:21:00 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 4 ++++ apparmor.d/groups/gnome/gsd-power | 1 + .../groups/gvfs/gvfs-udisks2-volume-monitor | 2 -- apparmor.d/groups/kde/sddm | 9 +++++++- apparmor.d/groups/systemd/systemd-hostnamed | 9 ++++++-- apparmor.d/groups/systemd/systemd-timesyncd | 1 + apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/atd | 4 +++- apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/f3probe | 2 +- apparmor.d/profiles-g-l/git | 2 +- apparmor.d/profiles-g-l/gpartedbin | 6 +++--- apparmor.d/profiles-g-l/i3lock-fancy | 19 +++++++++-------- apparmor.d/profiles-g-l/keepassxc | 11 +++++----- apparmor.d/profiles-m-r/molly-guard | 9 +++++++- apparmor.d/profiles-m-r/mount-nfs | 10 +++++++-- apparmor.d/profiles-s-z/setvtrgb | 21 +++++++++++++++++++ apparmor.d/profiles-s-z/udisksd | 19 +++++++++-------- 18 files changed, 94 insertions(+), 38 deletions(-) create mode 100644 apparmor.d/profiles-s-z/setvtrgb diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 4979a2ca..2a2bcf91 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -20,6 +20,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/perl r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/stty rix, @@ -31,6 +32,7 @@ profile dpkg-preconfigure @{exec_path} { /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /etc/default/grub r, /etc/inputrc r, /etc/shadow r, @@ -42,6 +44,8 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/cache/debconf/tmp.ci/ r, owner /var/cache/debconf/tmp.ci/* rix, + owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, + owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f1f24bff..16bcf931 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -15,6 +15,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 78eb32b4..a214aedd 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -70,8 +70,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{HOME}/**/ r, @{run}/mount/utab r, - @{run}/systemd/inhibit/*.ref r, - @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/net/* r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index e8c33bd7..edc2bd17 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,7 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/unix_chkpwd rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @@ -189,6 +189,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/tty@{int} rw, /dev/tty rw, + profile systemctl { + include + include + + include if exists + } + profile xauth { include diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8a1810c6..45d004e6 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -38,8 +38,13 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+dmi:id r, @{sys}/devices/virtual/dmi/id/ r, - @{sys}/devices/virtual/dmi/id/{bios_vendor,bios_version,board_vendor,bios_date} r, - @{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r, + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 64acd869..5f7427fd 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -37,6 +37,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 70e9ae6a..e816822a 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -21,7 +21,7 @@ profile adduser @{exec_path} { capability fsetid, capability setgid, capability setuid, - capability sys_admin, + capability sys_admin, # For logger @{exec_path} r, @{bin}/perl r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index e93a45c0..c7d4ebb9 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -20,7 +20,7 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal (receive) set=hup, + signal (receive) set=hup peer=at, ptrace (read) peer=unconfined, @@ -28,6 +28,8 @@ profile atd @{exec_path} { @{sh_path} rix, @{bin}/sendmail rPUx, + @{bin}/unix_chkpwd rPx, + @{bin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index f1837744..d4462805 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -14,6 +14,7 @@ profile borg @{exec_path} { include include + capability dac_override, capability dac_read_search, capability fowner, capability sys_admin, diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index 75c62668..68490194 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/f3probe profile f3probe @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 6c6b7dce..ad439cc8 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -46,7 +46,6 @@ profile git @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/cat rix, @{bin}/date rix, @{bin}/dirname rix, @{bin}/envsubst rix, @@ -57,6 +56,7 @@ profile git @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, + @{bin}/tar rix, @{bin}/uname rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 9048c467..04cb2849 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -20,14 +20,14 @@ profile gpartedbin @{exec_path} { include capability dac_read_search, + capability ipc_lock, capability sys_admin, capability sys_rawio, - # Needed? - # deny capability sys_nice, - ptrace (read), + signal (send) peer=mke2fs, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 687412ec..1fdb6433 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -11,19 +11,21 @@ include profile i3lock-fancy @{exec_path} { include include - include include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/rm rix, - @{bin}/fc-match rix, - @{bin}/getopt rix, - @{bin}/mktemp rix, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/env rix, + @{bin}/fc-match rix, + @{bin}/getopt rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/wmctrl rix, @{bin}/i3lock rPx, @{bin}/xrandr rPx, @@ -32,16 +34,15 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 rCx -> imagemagic, @{bin}/scrot rCx -> imagemagic, + /usr/share/i3lock-fancy/{,*} r, + owner /tmp/tmp.*.png rw, owner /tmp/tmp.* rw, owner /tmp/sh-thd.* rw, - /usr/share/i3lock-fancy/{,*} r, - # file_inherit owner /dev/tty@{int} rw, - profile imagemagic { include include diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 81c82bdd..f493b28a 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -67,6 +67,8 @@ profile keepassxc @{exec_path} { owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int}, owner @{user_config_dirs}/keepassxc/ rw, owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int}, + owner @{user_share_dirs}/keepassxc/ rw, + owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int}, owner /tmp/.[a-zA-Z]*/{,s} rw, owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, @@ -77,8 +79,12 @@ profile keepassxc @{exec_path} { owner /tmp/keepassxc.lock rw, owner /tmp/keepassxc.socket rw, + owner @{run}/user/@{pid}/app/ w, + owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, owner @{run}/user/@{uid}/kpxc_server rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, @{PROC}/@{pids}/comm r, @{PROC}/modules r, @@ -87,11 +93,6 @@ profile keepassxc @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, - owner @{run}/user/@{pid}/app/ w, - owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - /dev/shm/#@{int} rw, /dev/tty rw, /dev/urandom rw, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index 31f0762e..fa268a2d 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -21,7 +21,7 @@ profile molly-guard @{exec_path} { @{bin}/{,e,p}grep rix, @{bin}/hostname rix, @{bin}/run-parts rix, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/tr rix, @{bin}/tty rix, @@ -33,5 +33,12 @@ profile molly-guard @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, + profile systemctl { + include + include + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 42d85fa0..9b06bcb7 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -43,8 +43,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, @{bin}/start-statd rix, - - /usr/bin/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, /etc/fstab r, /etc/netconfig r, @@ -62,5 +61,12 @@ profile mount-nfs @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb new file mode 100644 index 00000000..7080cd90 --- /dev/null +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/setvtrgb +profile setvtrgb @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + /dev/tty@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 890cadfe..5daa8fb1 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -32,21 +32,21 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, - mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -111,6 +111,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform:* r, + @{run}/udev/data/+scsi:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r,