From 6b0b49824444c7647bd05679d78feb6aff2a6a26 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Oct 2024 20:43:18 +0100 Subject: [PATCH] feat(profile): small profiles update. --- apparmor.d/abstractions/gnome-strict | 2 ++ apparmor.d/groups/cron/cron-debsums | 14 ++++------ apparmor.d/groups/gnome/gio-launch-desktop | 1 - apparmor.d/groups/gnome/gnome-characters | 1 + .../groups/gnome/gnome-extension-manager | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/systemd/systemd-dissect | 7 +++-- apparmor.d/groups/virt/dockerd | 28 ++++++++++++++----- apparmor.d/profiles-m-r/mandb | 2 +- apparmor.d/profiles-m-r/metadata-cleaner | 12 ++++---- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-m-r/remmina | 16 +++++------ apparmor.d/profiles-s-z/totem | 7 ++++- 13 files changed, 57 insertions(+), 39 deletions(-) diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 833aaa59..ed3f2f4c 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -27,6 +27,8 @@ /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + / r, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums index 5a7adf14..46a3bbe0 100644 --- a/apparmor.d/groups/cron/cron-debsums +++ b/apparmor.d/groups/cron/cron-debsums @@ -14,15 +14,13 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/true rix, + @{bin}/{,e}grep rix, + @{bin}/debsums rPx, + @{bin}/ionice rix, @{bin}/logger rix, @{bin}/sed rix, - @{bin}/{,e}grep rix, - - @{bin}/ionice rix, - - @{bin}/debsums rPx, @{bin}/tee rCx -> tee, + @{bin}/true rix, /etc/ r, /etc/default/debsums r, @@ -31,17 +29,15 @@ profile cron-debsums @{exec_path} { # For shell pwd / r, - profile tee { include include - # Needed to write to /proc/self/fd/3 capability dac_override, @{bin}/tee mr, - owner @{PROC}/@{pid}/fd/3 rw, + owner @{PROC}/@{pid}/fd/@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 4b395eb8..12473b49 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -43,7 +43,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 730feb31..9ae8a7b8 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -24,6 +24,7 @@ profile gnome-characters @{exec_path} { @{open_path} rPx -> child-open-help, /usr/share/org.gnome.Characters/{,**} r, + /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 942d7b40..3b23d4ff 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -32,6 +32,7 @@ profile gnome-extension-manager @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index da5ed232..4726881e 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -125,6 +125,7 @@ profile gnome-software @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index b81b100d..7dc10fd4 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -17,10 +17,11 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_resource, - mount options=(rw rshared rslave) -> /, - mount options=(rw nodev) -> /mnt/*/, mount -> /tmp/dissect-@{rand6}/, - mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/, + mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, + mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/{,**/}, + mount options=(rw nodev) -> /mnt/*/, + mount options=(rw rshared rslave) -> /, umount @{run}/systemd/dissect-root/, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3342c0d5..91d7baf3 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -83,10 +83,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { # TODO: should be in a sub profile started with pivot_root, not supported yet. /{,**} rwl, + /etc/docker/{,**} r, + + / r, + + owner @{lib}/containerd/** w, owner @{lib}/docker/overlay2/*/work/{,**} rw, + owner /var/lib/containerd/** w, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + owner @{run}/docker/ rw, + owner @{run}/docker/** rwlk, + owner @{run}/docker.pid rw, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, @@ -101,16 +111,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/threads-max r, @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw, + @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw, @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ r, + /dev/**/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index e1404aba..4826337d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) { /usr/{,share/}man/{,**} r, /usr/local/{,share/}man/{,**} r, - /usr/share/**/man/man@{int}/*.@{int}.gz r, + /usr/share/**/man/man@{u8}/*.@{int}.gz r, owner @{user_share_dirs}/man/** rwk, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 87a26b0f..0de15153 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -10,7 +10,7 @@ include profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -31,17 +31,17 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { /etc/httpd/conf/mime.types r, /etc/mime.types r, - owner @{tmp}/@{hex64}.png r, - owner @{tmp}/@{hex64}.png w, + owner @{tmp}/@{hex64}.* rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/tmp@{rand4}_*/{,**} rw, - owner @{tmp}/tmp@{rand8}/{,**} rw, + owner @{tmp}/tmp@{word8} rw, + owner @{tmp}/tmp@{word8}/{,**} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index d409ced7..b3968280 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -34,10 +34,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/bus/platform/devices/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/**/power_supply/*/scope r, - @{sys}/devices/**/power_supply/*/uevent r, - @{sys}/devices/platform/**/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 9e2414b5..f5988004 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -9,30 +9,31 @@ include @{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include + include include include include include + include include + include include include include include - include - include + include include include include - include + include network inet stream, network inet6 stream, network netlink raw, #aa:dbus own bus=session name=org.remmina.Remmina - - dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} - peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} r, @@ -42,14 +43,13 @@ profile remmina @{exec_path} { /etc/timezone r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /etc/gtk-3.0/settings.ini r, owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, owner @{user_config_dirs}/freerdp/known_hosts2 rwk, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index a71a80c0..6883e48f 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -63,6 +63,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_override, @@ -70,9 +71,13 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, + /usr/share/ladspa/rdf/{,*} r, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/task/@{tid}/comm w,