From 6cd01064aee554acd33365e88ce3f00f414e53b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:12:39 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/app/sudo | 1 + apparmor.d/abstractions/common/systemd | 2 +- apparmor.d/abstractions/gnome-strict | 2 ++ apparmor.d/groups/_full/default | 5 +---- .../groups/browsers/firefox-crashreporter | 3 +++ .../groups/children/child-modprobe-nvidia | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/session-migration | 2 ++ apparmor.d/groups/pacman/aurpublish | 21 ++++++++++++++++--- apparmor.d/groups/systemd/systemd-cryptsetup | 1 + apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/apport-gtk | 8 +++++-- apparmor.d/profiles-a-f/agetty | 1 + apparmor.d/profiles-a-f/dino-im | 5 ++--- apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-a-f/fwupd | 3 ++- apparmor.d/profiles-g-l/issue-generator | 2 ++ apparmor.d/profiles-g-l/keepassxc | 1 + apparmor.d/profiles-s-z/snapd | 1 + apparmor.d/profiles-s-z/spice-vdagent | 3 +++ apparmor.d/profiles-s-z/steam-gameoverlayui | 1 + apparmor.d/profiles-s-z/sudo | 2 ++ apparmor.d/profiles-s-z/update-ca-trust | 2 +- apparmor.d/profiles-s-z/waybar | 1 - 27 files changed, 59 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 6fba1adf..fdd34858 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -41,6 +41,7 @@ / r, /etc/machine-id r, + /var/db/sudo/lectured/ r, owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, owner /var/log/sudo.log wk, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 0ed3a824..34e9be9d 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 891e5a57..e9a06e8a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,8 @@ member=Introspect peer=(name=:*, label=gnome-shell), + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 8e0a3a53..733d227c 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -70,11 +70,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{MOUNTS}/** rwl, owner @{HOME}/{,**} rwlk, owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl, - owner @{user_share_dirs}/** rwkl, owner @{tmp}/{,**} rwk, - - owner @{run}/user/@{uid}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rwlk, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index c1afb00e..8d62a6fb 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -30,6 +30,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/curl rix, + @{bin}/mv rix, + @{lib_dirs}/minidump-analyzer rPx, @{bin}/mv rix, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index afb48573..fb91234b 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -71,7 +71,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, - deny @{HOME}/.steam/** r, + deny @{HOME}/.steam/** r, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 48ac848c..c5b22014 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, network netlink raw, + network unix stream, signal (receive) set=term peer=gdm, signal (send) set=(hup term) peer=gdm-session, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1dee1971..9a799d44 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -27,6 +27,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + network inet stream, network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 1f82e7fe..41c9b28a 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -21,6 +21,8 @@ profile session-migration @{exec_path} { owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 8aba909e..3f46e2fa 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -29,7 +29,7 @@ profile aurpublish @{exec_path} { @{bin}/date rix, @{bin}/gettext rix, @{bin}/git rPx, - @{bin}/gpg{,2} rPx, + @{bin}/gpg{,2} rCx -> gpg, @{bin}/grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @@ -48,10 +48,9 @@ profile aurpublish @{exec_path} { /etc/makepkg.conf.d/{,**} r, owner @{user_build_dirs}/**/ w, - owner @{user_projects_dirs}/**/ r, + owner @{user_projects_dirs}/** r, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, - owner @{user_projects_dirs}/**/PKGBUILD r, owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, @@ -62,6 +61,22 @@ profile aurpublish @{exec_path} { /dev/tty rw, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_cache_dirs}/makepkg/src/*.asc r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fba766fe..6ca3e323 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -12,6 +12,7 @@ profile systemd-cryptsetup @{exec_path} { include include + capability dac_read_search, capability ipc_lock, capability net_admin, capability sys_admin, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 855d0d58..d5c7b963 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -63,6 +63,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/linger/ r, @{run}/.#nologin* rw, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/host/container-manager r, @{run}/nologin rw, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 76a7e21c..8b135199 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -52,6 +52,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/more rPx -> child-pager, @{bin}/multipath rPx, @{bin}/nfsrahead rix, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/pager rPx -> child-pager, @{bin}/perl rix, @{bin}/setfacl rix, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index a63f3889..0fd5fb7d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -51,6 +51,7 @@ profile apport-gtk @{exec_path} { @{bin}/pkexec rPx, # TODO: rCx or something @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, + @{bin}/uname rix, @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, @@ -60,8 +61,8 @@ profile apport-gtk @{exec_path} { /usr/share/apport/general-hooks/*.py r, /etc/apport/{,**} r, - /etc/cloud/cloud.cfg.d/{,**} r, /etc/bash_completion.d/apport_completion r, + /etc/cloud/{,**} r, /etc/cron.daily/apport r, /etc/default/apport r, /etc/gtk-3.0/settings.ini r, @@ -69,13 +70,15 @@ profile apport-gtk @{exec_path} { /etc/logrotate.d/apport r, /etc/xdg/autostart/*.desktop r, - /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, + /var/crash/ rw, + owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/snapd.socket rw, /tmp/[a-z0-9]* rw, @@ -104,6 +107,7 @@ profile apport-gtk @{exec_path} { @{bin}/* r, /usr/share/gcc/python/{,**/}__pycache__/{,**} rw, + /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index c1436f9a..ec711895 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -34,6 +34,7 @@ profile agetty @{exec_path} { /etc/os-release r, /usr/etc/login.defs r, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index f0698983..07fba44a 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -11,10 +11,8 @@ include profile dino-im @{exec_path} { include include + include include - include - include - include include include @@ -46,6 +44,7 @@ profile dino-im @{exec_path} { owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 03fab4ec..6d836c63 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -104,7 +104,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner /boot/System.map-* r, - audit owner @{tmp}/tmp.* r, + owner @{tmp}/tmp.@{rand10} r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6355c2f..c7df958f 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -23,6 +23,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/xml/iso-codes/{,**} r, + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a2cfea34..474ab630 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -142,7 +142,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, - owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index a54b024a..00600b72 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -26,6 +26,8 @@ profile issue-generator @{exec_path} { @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 20be091c..f79a3464 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -74,6 +74,7 @@ profile keepassxc @{exec_path} { owner @{tmp}/keepassxc-*.socket rw, owner @{tmp}/keepassxc.lock rw, owner @{tmp}/keepassxc.socket rw, + owner @{tmp}/runtime-user/ w, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 3892a8ca..fa5ef195 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -40,6 +40,7 @@ profile snapd @{exec_path} { network inet dgram, network inet6 dgram, network netlink raw, + network unix stream, mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/, umount /tmp/syscheck-mountpoint-@{int}/, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c2fd27ce..93be9c78 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -41,6 +41,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index bbe2452e..077e6cf8 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -18,6 +18,7 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0ba2694b..6f4e290d 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -35,6 +35,8 @@ profile sudo @{exec_path} flags=(attach_disconnected) { /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + /etc/default/locale r, + /var/db/sudo/lectured/ r, owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/extrausers/shadow r, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 6e70a031..8b69cd1f 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -26,7 +26,7 @@ profile update-ca-trust @{exec_path} { /etc/ca-certificates/extracted/** rw, /etc/ssl/certs/{,*} rw, - /etc/ssl/certs/java/cacerts{,.*} w, + /etc/ssl/certs/java/** rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index b740485f..d5116b04 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/waybar - profile waybar @{exec_path} flags=(attach_disconnected) { include include