mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-10 21:21:00 +00:00
parent ad8e5a9797
commit 68fbd81e17
Failed to generate hash of commit
18 changed files with 94 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -20,6 +20,7 @@ profile dpkg-preconfigure @{exec_path} {
@{bin}/perl r, @{bin}/perl r,
@{sh_path} rix, @{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/locale rix, @{bin}/locale rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/stty rix, @{bin}/stty rix,
@ -31,6 +32,7 @@ profile dpkg-preconfigure @{exec_path} {
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
/etc/debconf.conf r, /etc/debconf.conf r,
/etc/default/grub r,
/etc/inputrc r, /etc/inputrc r,
/etc/shadow r, /etc/shadow r,
@ -42,6 +44,8 @@ profile dpkg-preconfigure @{exec_path} {
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
owner /var/cache/debconf/tmp.ci/ r, owner /var/cache/debconf/tmp.ci/ r,
owner /var/cache/debconf/tmp.ci/* rix, owner /var/cache/debconf/tmp.ci/* rix,
owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w,
owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w,
owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

1
apparmor.d/groups/gnome/gsd-power
View file

@ -15,6 +15,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/net.hadess.PowerProfiles> include <abstractions/bus/net.hadess.PowerProfiles>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/bus/org.freedesktop.login1.Session> include <abstractions/bus/org.freedesktop.login1.Session>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.systemd1> include <abstractions/bus/org.freedesktop.systemd1>

2
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -70,8 +70,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
@{HOME}/**/ r, @{HOME}/**/ r,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/inhibit/*.ref r,
@{run}/systemd/sessions/* r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/net/* r, @{PROC}/@{pids}/net/* r,

9
apparmor.d/groups/kde/sddm
View file

@ -97,7 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/kwalletd{5,6} rPx, @{bin}/kwalletd{5,6} rPx,
@{bin}/startplasma-wayland rPx, @{bin}/startplasma-wayland rPx,
@{bin}/startplasma-x11 rPx, @{bin}/startplasma-x11 rPx,
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/unix_chkpwd rPx, @{bin}/unix_chkpwd rPx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,
@{bin}/xset rPx, @{bin}/xset rPx,
@ -189,6 +189,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/dev/tty@{int} rw, /dev/tty@{int} rw,
/dev/tty rw, /dev/tty rw,
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/sddm_systemctl>
}
profile xauth { profile xauth {
include <abstractions/base> include <abstractions/base>

9
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -38,8 +38,13 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+dmi:id r, @{run}/udev/data/+dmi:id r,
@{sys}/devices/virtual/dmi/id/ r, @{sys}/devices/virtual/dmi/id/ r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,bios_version,board_vendor,bios_date} r, @{sys}/devices/virtual/dmi/id/bios_date r,
@{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/bios_version r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/uevent r, @{sys}/devices/virtual/dmi/id/uevent r,
@{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/acpi/pm_profile r,

1
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -37,6 +37,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
@{run}/resolvconf/*.conf r, @{run}/resolvconf/*.conf r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{run}/systemd/timesyncd.conf.d/{,**} r,
owner @{run}/systemd/journal/socket w, owner @{run}/systemd/journal/socket w,
owner @{run}/systemd/timesync/synchronized rw, owner @{run}/systemd/timesync/synchronized rw,

2
apparmor.d/profiles-a-f/adduser
View file

@ -21,7 +21,7 @@ profile adduser @{exec_path} {
capability fsetid, capability fsetid,
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_admin, capability sys_admin, # For logger
@{exec_path} r, @{exec_path} r,
@{bin}/perl r, @{bin}/perl r,

4
apparmor.d/profiles-a-f/atd
View file

@ -20,7 +20,7 @@ profile atd @{exec_path} {
capability setuid, capability setuid,
capability sys_resource, capability sys_resource,
signal (receive) set=hup, signal (receive) set=hup peer=at,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
@ -28,6 +28,8 @@ profile atd @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/sendmail rPUx, @{bin}/sendmail rPUx,
@{bin}/unix_chkpwd rPx,
@{bin}/exim4 rPx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/ r, @{etc_ro}/security/limits.d/ r,

1
apparmor.d/profiles-a-f/borg
View file

@ -14,6 +14,7 @@ profile borg @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
capability dac_override,
capability dac_read_search, capability dac_read_search,
capability fowner, capability fowner,
capability sys_admin, capability sys_admin,

2
apparmor.d/profiles-a-f/f3probe
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/f3probe @{exec_path} = @{bin}/f3probe
profile f3probe @{exec_path} { profile f3probe @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-write>
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/profiles-g-l/git
View file

@ -46,7 +46,6 @@ profile git @{exec_path} {
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cat rix,
@{bin}/date rix, @{bin}/date rix,
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/envsubst rix, @{bin}/envsubst rix,
@ -57,6 +56,7 @@ profile git @{exec_path} {
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/tar rix,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/wc rix, @{bin}/wc rix,
@{bin}/whoami rix, @{bin}/whoami rix,

6
apparmor.d/profiles-g-l/gpartedbin
View file

@ -20,14 +20,14 @@ profile gpartedbin @{exec_path} {
include <abstractions/gtk> include <abstractions/gtk>
capability dac_read_search, capability dac_read_search,
capability ipc_lock,
capability sys_admin, capability sys_admin,
capability sys_rawio, capability sys_rawio,
# Needed?
# deny capability sys_nice,
ptrace (read), ptrace (read),
signal (send) peer=mke2fs,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,

19
apparmor.d/profiles-g-l/i3lock-fancy
View file

@ -11,19 +11,21 @@ include <tunables/global>
profile i3lock-fancy @{exec_path} { profile i3lock-fancy @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/X-strict>
@{exec_path} r, @{exec_path} r,
@{sh_path} rix,
@{bin}/rm rix, @{sh_path} rix,
@{bin}/fc-match rix,
@{bin}/getopt rix,
@{bin}/mktemp rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/env rix, @{bin}/env rix,
@{bin}/fc-match rix,
@{bin}/getopt rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/wmctrl rix,
@{bin}/i3lock rPx, @{bin}/i3lock rPx,
@{bin}/xrandr rPx, @{bin}/xrandr rPx,
@ -32,16 +34,15 @@ profile i3lock-fancy @{exec_path} {
@{bin}/import-im6.q16 rCx -> imagemagic, @{bin}/import-im6.q16 rCx -> imagemagic,
@{bin}/scrot rCx -> imagemagic, @{bin}/scrot rCx -> imagemagic,
/usr/share/i3lock-fancy/{,*} r,
owner /tmp/tmp.*.png rw, owner /tmp/tmp.*.png rw,
owner /tmp/tmp.* rw, owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw, owner /tmp/sh-thd.* rw,
/usr/share/i3lock-fancy/{,*} r,
# file_inherit # file_inherit
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
profile imagemagic { profile imagemagic {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>

11
apparmor.d/profiles-g-l/keepassxc
View file

@ -67,6 +67,8 @@ profile keepassxc @{exec_path} {
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int}, owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
owner @{user_config_dirs}/keepassxc/ rw, owner @{user_config_dirs}/keepassxc/ rw,
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int}, owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
owner @{user_share_dirs}/keepassxc/ rw,
owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int},
owner /tmp/.[a-zA-Z]*/{,s} rw, owner /tmp/.[a-zA-Z]*/{,s} rw,
owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
@ -77,8 +79,12 @@ profile keepassxc @{exec_path} {
owner /tmp/keepassxc.lock rw, owner /tmp/keepassxc.lock rw,
owner /tmp/keepassxc.socket rw, owner /tmp/keepassxc.socket rw,
owner @{run}/user/@{pid}/app/ w,
owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,
owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
owner @{run}/user/@{uid}/kpxc_server rw, owner @{run}/user/@{uid}/kpxc_server rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,
@{PROC}/@{pids}/comm r, @{PROC}/@{pids}/comm r,
@{PROC}/modules r, @{PROC}/modules r,
@ -87,11 +93,6 @@ profile keepassxc @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r, deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pid}/cmdline r,
owner @{run}/user/@{pid}/app/ w,
owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
/dev/tty rw, /dev/tty rw,
/dev/urandom rw, /dev/urandom rw,

9
apparmor.d/profiles-m-r/molly-guard
View file

@ -21,7 +21,7 @@ profile molly-guard @{exec_path} {
@{bin}/{,e,p}grep rix, @{bin}/{,e,p}grep rix,
@{bin}/hostname rix, @{bin}/hostname rix,
@{bin}/run-parts rix, @{bin}/run-parts rix,
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/tty rix, @{bin}/tty rix,
@ -33,5 +33,12 @@ profile molly-guard @{exec_path} {
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r, @{PROC}/uptime r,
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/molly-guard_systemctl>
}
include if exists <local/molly-guard> include if exists <local/molly-guard>
} }

10
apparmor.d/profiles-m-r/mount-nfs
View file

@ -43,8 +43,7 @@ profile mount-nfs @{exec_path} flags=(complain) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/flock rix, @{bin}/flock rix,
@{bin}/start-statd rix, @{bin}/start-statd rix,
@{bin}/systemctl rCx -> systemctl,
/usr/bin/systemctl rPx -> child-systemctl,
/etc/fstab r, /etc/fstab r,
/etc/netconfig r, /etc/netconfig r,
@ -62,5 +61,12 @@ profile mount-nfs @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
profile systemctl {
include <abstractions/base>
include <abstractions/systemctl>
include if exists <local/mount-nfs_systemctl>
}
include if exists <local/mount-nfs> include if exists <local/mount-nfs>
} }

21
apparmor.d/profiles-s-z/setvtrgb Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/setvtrgb
profile setvtrgb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability sys_tty_config,
@{exec_path} mr,
/dev/tty@{int} rw,
include if exists <local/setvtrgb>
}

19
apparmor.d/profiles-s-z/udisksd
View file

@ -32,21 +32,21 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
# Allow mounting of removable devices # Allow mounting of removable devices
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of loop devices (ISO files) # Allow mounting of loop devices (ISO files)
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow mounting of cdrom # Allow mounting of cdrom
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/,
# Allow mounting od sd cards # Allow mounting od sd cards
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/,
mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow mounting on temporary mount point # Allow mounting on temporary mount point
mount -> @{run}/udisks2/temp-mount-*/, mount -> @{run}/udisks2/temp-mount-*/,
@ -111,6 +111,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+pci:* r, @{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,
@{run}/udev/data/+scsi:* r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,