From 6a78b17d237dfb63765e3429b4fb7f53778f5d9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Sep 2023 22:01:08 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/dpkg | 1 + apparmor.d/groups/apt/unattended-upgrade | 17 ++++++++++------- apparmor.d/groups/children/child-systemctl | 2 +- apparmor.d/groups/freedesktop/xdg-user-dir | 2 ++ .../gnome/gnome-calculator-search-provider | 8 +++++--- apparmor.d/groups/gnome/gnome-calendar | 2 ++ apparmor.d/groups/gnome/gnome-characters | 3 +++ .../gnome/gnome-control-center-search-provider | 4 ++++ apparmor.d/groups/gvfs/gvfsd-computer | 2 ++ apparmor.d/groups/network/mullvad-gui | 3 ++- apparmor.d/groups/pacman/mkinitcpio | 7 +++---- apparmor.d/groups/pacman/pacman | 8 ++------ apparmor.d/groups/pacman/pacman-hook-dkms | 7 +++---- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 4 +++- apparmor.d/groups/systemd/journalctl | 1 + apparmor.d/profiles-a-f/aa-teardown | 2 ++ apparmor.d/profiles-a-f/element | 4 ++++ apparmor.d/profiles-a-f/findmnt | 3 +-- apparmor.d/profiles-g-l/kmod | 10 ++++------ apparmor.d/profiles-m-r/needrestart | 3 +++ apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/transmission-gtk | 2 ++ 22 files changed, 62 insertions(+), 35 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index de37367c..8110cd99 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -26,6 +26,7 @@ profile dpkg @{exec_path} { @{bin}/rm rix, @{bin}/deb-systemd-helper rix, + @{bin}/deb-systemd-invoke rix, @{bin}/dpkg-deb rpx, @{bin}/dpkg-query rpx, @{bin}/dpkg-split rPx, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 800ebae3..756cbc45 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -64,17 +64,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/uname rix, - @{bin}/dpkg-preconfigure rPx, - @{bin}/on_ac_power rPx, - @{bin}/sendmail rPUx, @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, + @{bin}/on_ac_power rPx, + @{bin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{lib}/zsys-system-autosnapshot rPx, /usr/share/distro-info/* r, @@ -85,17 +85,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, + /etc/init.d/* r, /etc/issue{.net,} r, /etc/kernel/*.d/*grub* r, /etc/legal r, /etc/lsb-release r, /etc/machine-id r, + /etc/pam.d/* r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, /etc/security/capability.conf r, /etc/update-manager/{,**} r, /etc/update-motd.d/* r, + /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, @@ -110,16 +113,16 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/log/apt/{term,history}.log w, /var/log/apt/eipp.log.xz w, + @{run}/resolvconf/resolv.conf r, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/resolvconf/resolv.conf r, owner /tmp/apt-dpkg-install-*/{,*} rw, - owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 6aab1225..92c32104 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -53,7 +53,7 @@ profile child-systemctl flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index a0ae01ff..17545911 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -17,6 +17,8 @@ profile xdg-user-dir @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, + /dev/tty rw, + # Silencer deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 14506a3c..8ba5634b 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -25,13 +25,15 @@ profile gnome-calculator-search-provider @{exec_path} { /{usr/,}bin/[a-z0-9]* rPUx, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/X11/xkb/{,**} r, + /usr/share/x11/xkb/{,**} r, /usr/share/icons/{,**} r, - + /usr/share/nvidia/nvidia-application-profiles-*-rc r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index b5935839..ef5fa9f1 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -30,5 +30,7 @@ profile gnome-calendar @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{PROC}/@{pid}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7487e2cb..bebce7b5 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -28,7 +28,10 @@ profile gnome-characters @{exec_path} { /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + /usr/share/nvidia/nvidia-application-profiles-*-rc r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index c67d8b22..42bd5775 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -23,10 +23,14 @@ profile gnome-control-center-search-provider @{exec_path} { @{exec_path} mr, /usr/share/X11/xkb/{,**} r, + /usr/share/nvidia/nvidia-application-profiles-*-rc r, /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index b834cdb2..97a0c916 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -13,5 +13,7 @@ profile gvfsd-computer @{exec_path} { @{exec_path} mr, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + include if exists } diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index afcf3c38..6d486320 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -20,6 +20,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_chroot, capability sys_ptrace, @@ -44,7 +45,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { /etc/libva.conf r, /etc/igfx_user_feature{,_next}.txt w, - + /etc/machine-id r, /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index f2d1cba7..69b47afe 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -17,8 +17,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - unix (receive) type=stream, - @{exec_path} rmix, @{bin}/{,ba}sh rix, @@ -116,9 +114,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Inherit silencer deny @{HOME}/** r, - deny network inet6 stream, - deny network inet stream, deny /apparmor/.null rw, + deny network inet stream, + deny network inet6 stream, + deny unix (receive) type=stream, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e6722051..12b72f99 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -30,17 +30,12 @@ profile pacman @{exec_path} { capability sys_chroot, capability sys_resource, - # network unix stream, - # network unix dgram, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, - unix (receive) type=stream, - ptrace (read), @{exec_path} mrix, @@ -161,8 +156,9 @@ profile pacman @{exec_path} { owner /dev/pts/@{int} rw, # Silencer, - deny /tmp/ r, deny @{HOME}/ r, + deny /tmp/ r, + deny unix (receive) type=stream, profile gpg { include diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 45fc865a..4526d430 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -13,8 +13,6 @@ profile pacman-hook-dkms @{exec_path} { capability dac_read_search, capability mknod, - unix (receive) type=stream, - @{exec_path} mr, @{bin}/bash rix, @@ -30,9 +28,10 @@ profile pacman-hook-dkms @{exec_path} { /dev/tty rw, # Inherit Silencer - deny network inet6 stream, - deny network inet stream, deny /apparmor/.null rw, + deny network inet stream, + deny network inet6 stream, + deny unix (receive) type=stream, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 410de90d..9b7b898c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, - unix (receive) type=stream, + audit deny unix (receive) type=stream, @{exec_path} mr, @@ -37,11 +37,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, + /boot/ r, /boot/vmlinuz-* rw, /boot/initramfs-*.img rw, /boot/initramfs-*-fallback.img rw, /dev/tty rw, + owner /dev/pts/@{int} rw, # # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index da633a70..a1e1b6a1 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -47,6 +47,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown index caaf70bb..25483997 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -18,6 +18,8 @@ profile aa-teardown @{exec_path} { @{bin}/{,ba,da}sh rix, @{lib}/apparmor/apparmor.systemd rPx, + /usr/share/terminfo/x/* r, + /dev/tty rw, include if exists diff --git a/apparmor.d/profiles-a-f/element b/apparmor.d/profiles-a-f/element index 721c750a..e3589107 100644 --- a/apparmor.d/profiles-a-f/element +++ b/apparmor.d/profiles-a-f/element @@ -41,6 +41,10 @@ profile element @{exec_path} { @{lib}/element/{,**} r, @{lib}/element/app.asar.unpacked/node_modules/**.node mr, + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index a3aa526e..bcd1ce57 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -15,8 +15,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { capability dac_read_search, - unix (receive) type=stream, - @{exec_path} mr, /etc/fstab r, @@ -26,6 +24,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { # File Inherit deny /apparmor/.null rw, + deny unix (receive) type=stream, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index f6dcec6e..6ff1c65a 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -1,14 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{bin}/{kmod,lsmod} -@{exec_path} += @{bin}/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} +@{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include include @@ -24,8 +23,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { network inet raw, - unix (receive) type=stream, - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, @@ -73,8 +70,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, - deny /apparmor/.null rw, deny @{user_share_dirs}/gvfs-metadata/* r, + deny /apparmor/.null rw, + deny unix (receive) type=stream, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index d5d71f24..904366c3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -45,6 +45,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, /etc/debconf.conf r, + /etc/init.d/* r, /etc/needrestart/{,**} r, /etc/needrestart/*.d/* rix, /etc/shadow r, @@ -57,6 +58,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/lib/juju/agents/{,**} r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + owner @{run}/sshd.pid r, + @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index de722db5..7ce53667 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -82,6 +82,8 @@ profile spotify @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/status r, + owner /dev/shm/pulse-shm-@{int} r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index 54a2abc6..555d2fd7 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -23,6 +23,7 @@ profile transmission-gtk @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -49,6 +50,7 @@ profile transmission-gtk @{exec_path} { @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r,