From 697e196e42aa349600e3c821cc766ffc9923aae3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Apr 2023 14:49:44 +0100 Subject: [PATCH] feat(openvpn): improve integration accross profiles. See #157 --- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/network/nm-openvpn-auth-dialog | 2 ++ .../groups/network/nm-openvpn-service-openvpn-helper | 2 ++ apparmor.d/groups/network/nmcli | 3 +++ apparmor.d/groups/network/openvpn | 9 ++++++--- 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c114ca1a..3ac6983b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -128,6 +128,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/lib/AccountsService/icons/* r, owner @{HOME}/.cat_installer/ca.pem r, + owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog index 5936aa84..b0207504 100644 --- a/apparmor.d/groups/network/nm-openvpn-auth-dialog +++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog @@ -12,5 +12,7 @@ profile nm-openvpn-auth-dialog @{exec_path} { @{exec_path} mr, + owner @{HOME}/.cert/nm-openvpn/*.pem r, + include if exists } diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper index d602d617..880f9d54 100644 --- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper +++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper @@ -12,5 +12,7 @@ profile nm-openvpn-service-openvpn-helper @{exec_path} { @{exec_path} mr, + @{HOME}/.cert/nm-openvpn/*.pem r, + include if exists } diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index d86dec49..b959e344 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -17,6 +17,9 @@ profile nmcli @{exec_path} { /{usr/,}bin/less rCx -> pager, + owner @{HOME}/.nm-vpngate/*.ovpn r, + owner @{HOME}/.cert/nm-openvpn/*.pem rw, + @{run}/udev/data/+pci* r, @{run}/udev/data/n[0-9]* r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index cb47b4aa..6a02e631 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # # The following profile assumes that: @@ -23,7 +23,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/openvpn -profile openvpn @{exec_path} { +profile openvpn @{exec_path} flags=(attach_disconnected) { include include include @@ -50,14 +50,17 @@ profile openvpn @{exec_path} { @{exec_path} mr, + @{libexec}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + /etc/openvpn/{,**} r, @{HOME}/.cert/{,**} r, /var/log/openvpn/*.log w, - @{run}/openvpn/*.{pid,status} rw, @{run}/NetworkManager/nm-openvpn-@{uuid} rw, + @{run}/openvpn/*.{pid,status} rw, + @{run}/systemd/journal/dev-log rw, /{usr/,}{s,}bin/ip rix, /{usr/,}bin/systemd-ask-password rPx,