From 70b4fa665bff05944f3d16108c77d595cc1362bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Sep 2021 00:17:44 +0100 Subject: [PATCH] Profiles update. --- apparmor.d/groups/desktop/colord | 2 +- apparmor.d/groups/desktop/dconf-service | 5 ++-- apparmor.d/groups/gnome/gnome-music | 4 ++- apparmor.d/groups/gnome/gnome-session-binary | 3 +++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/gsd-sound | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/tracker-extract | 3 ++- apparmor.d/groups/pacman/pacman | 27 +++++++++++++++----- apparmor.d/groups/pacman/pacman-hook-dkms | 3 +++ apparmor.d/groups/pacman/pacman-key | 1 + apparmor.d/groups/systemd/systemd-escape | 17 ++++++++++++ apparmor.d/groups/systemd/systemd-logind | 6 ++--- apparmor.d/profiles-m-z/pulseaudio | 3 +++ apparmor.d/profiles-m-z/udisksd | 22 +--------------- apparmor.d/profiles-m-z/xdg-user-dirs-update | 12 ++++++++- 18 files changed, 80 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/groups/systemd/systemd-escape diff --git a/apparmor.d/groups/desktop/colord b/apparmor.d/groups/desktop/colord index 12dd8522..2ec714e3 100644 --- a/apparmor.d/groups/desktop/colord +++ b/apparmor.d/groups/desktop/colord @@ -23,7 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/colord/** r, owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, - owner /var/lib/colord/{mapping,storage}.db rwk, + owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, /var/lib/gdm/.local/share/icc/edid-*.icc r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/groups/desktop/dconf-service b/apparmor.d/groups/desktop/dconf-service index 2711cb69..5569b918 100644 --- a/apparmor.d/groups/desktop/dconf-service +++ b/apparmor.d/groups/desktop/dconf-service @@ -13,7 +13,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { # Needed? deny capability sys_nice, - signal (receive) set=term peer=gdm, + signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, @@ -26,7 +26,8 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/dconf/ rw, owner @{user_cache_dirs}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm/.config/dconf/ rw, + /var/lib/gdm/.config/dconf/user rw, /var/lib/gdm/.config/dconf/user.* rw, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 44dbdd77..5efb5434 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -13,8 +13,10 @@ profile gnome-music @{exec_path} { include include include - include include + include + include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index da00008d..624ffe33 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -44,6 +44,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /var/lib/gdm/.config/gnome-session/ rw, + /var/lib/gdm/.config/gnome-session/saved-session/ rw, + owner @{user_config_dirs}/gnome-session/saved-session/ r, owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 19c8d521..123a5033 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -61,7 +61,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/gdm/.config/pulse/ r, /var/lib/gdm/.config/pulse/client.conf r, + /var/lib/gdm/.config/pulse/cookie rw, + /var/lib/gdm/.local/share/gnome-shell/ rw, /var/lib/gdm/.local/share/applications/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 8aa13eab..0a5ef96c 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -22,7 +22,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/X11/xkb/** r, - /var/lib/gdm/.local/share/icc/ r, + /var/lib/gdm/.local/share/icc/ rw, /var/lib/gdm/.local/share/icc/edid-*.icc rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 78453ed8..7ab7faaa 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -35,6 +35,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/recently-used.xbel{,.*} rw, /var/lib/gdm/.config/pulse/client.conf r, + /var/lib/gdm/.config/pulse/cookie rk, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 4f27eaea..c51a8cf6 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -17,6 +17,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm/.local/share/sounds/ rw, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fc3e4854..d6417069 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -19,6 +19,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/nautilus/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/sounds/freedesktop/stereo/*.oga r, owner @{user_share_dirs}/nautilus/{,**} rwk, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index c6d7eada..2c8558cf 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -20,6 +20,7 @@ profile tracker-extract @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, /usr/share/osinfo/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, @@ -40,7 +41,7 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c235:* r, @{run}/udev/data/c236:* r, - @{run}/udev/data/c510:* r, + @{run}/udev/data/c51[0-9]:* r, /dev/video[0-9]* rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 56e3e099..87302762 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -41,17 +41,22 @@ profile pacman @{exec_path} { /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/{,ba}sh rix, + # Pacman hooks & install scripts + /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}bin/{,ba}sh rix, + /{usr/,}bin/dot rix, + /{usr/,}bin/env rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/vercmp rix, + /{usr/,}lib/ghc-*/bin/ghc-pkg rix, /{usr/,}bin/arch-audit rPx, /{usr/,}bin/bootctl rPx, - /{usr/,}bin/env rix, /{usr/,}bin/fc-cache rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx, /{usr/,}bin/glib-compile-schemas rPx, - /{usr/,}bin/gtk-query-immodules-3.0 rPx, + /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/killall rPx, /{usr/,}bin/pacdiff rPx, @@ -61,9 +66,7 @@ profile pacman @{exec_path} { /{usr/,}bin/update-ca-trust rPx, /{usr/,}bin/update-desktop-database rPx, /{usr/,}bin/update-mime-database rPx, - /{usr/,}bin/vercmp rix, /{usr/,}lib/dkms/alpm-hook rPx, - /{usr/,}lib/ghc-*/bin/ghc-pkg rix, /{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/vlc/vlc-cache-gen rPx, /usr/share/libalpm/scripts/* rPx, @@ -77,6 +80,17 @@ profile pacman @{exec_path} { /usr/{,**} rwl, /var/{,**} rwl, + /bin/ rwl, + /home/ rw, + /lib/ rwl, + /lib64/ rwl, + /sbin/ rwl, + + @{PROC}/ r, + @{run}/ r, + @{sys}/ r, + /mnt r, + # Read packages files @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -116,5 +130,6 @@ profile pacman @{exec_path} { owner /etc/pacman.d/gnupg/** rwkl, } + include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 094ea635..60bc88e6 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -10,9 +10,12 @@ include profile pacman-hook-dkms @{exec_path} { include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/kmod rPx, + /{usr/,}bin/dkms rPx, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 734714b7..9d28e00e 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -15,6 +15,7 @@ profile pacman-key @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/gettext rix, /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/grep rix, /{usr/,}bin/pacman-conf rPx, /{usr/,}bin/tput rix, diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape new file mode 100644 index 00000000..3e2d553e --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-escape @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-escape +profile systemd-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index db9946bc..3552776a 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -49,16 +49,16 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @{run}/udev/data/+backlight:intel_backlight r, - @{run}/systemd/seats/ r, + @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/inhibit/ r, @{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/ rw, @{run}/systemd/sessions/[0-9]*{,.ref} rw, @{run}/systemd/sessions/.#* rw, - @{run}/systemd/users/ r, + @{run}/systemd/users/ rw, @{run}/systemd/users/@{uid} rw, @{run}/systemd/users/.#* rw, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio index f63cb659..d4c7f898 100644 --- a/apparmor.d/profiles-m-z/pulseaudio +++ b/apparmor.d/profiles-m-z/pulseaudio @@ -83,6 +83,9 @@ profile pulseaudio @{exec_path} { #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, + # For GDM + /var/lib/gdm/.config/pulse/ rw, + # For SDDM owner /var/lib/sddm/.config/pulse/ rw, owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index 5e49c159..3914dc44 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -44,8 +44,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/lvm rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, - - /{usr/,}bin/systemd-escape rCx -> systemd-escape, + /{usr/,}bin/systemd-escape rPx, # Allow mounting of removable devices mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/sd[a-z] -> @{MOUNTS}/*/*/, @@ -131,24 +130,5 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/inhibit/[0-9]*.ref rw, - profile systemd-escape { - include - - ptrace (read), - - /{usr/,}bin/systemd-escape mr, - - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, - - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - - /dev/kmsg w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-z/xdg-user-dirs-update b/apparmor.d/profiles-m-z/xdg-user-dirs-update index 2f05f750..f72c075f 100644 --- a/apparmor.d/profiles-m-z/xdg-user-dirs-update +++ b/apparmor.d/profiles-m-z/xdg-user-dirs-update @@ -14,7 +14,17 @@ profile xdg-user-dirs-update @{exec_path} { /etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.defaults r, - /var/lib/gdm/.config/user-dirs.dirs r, + + /var/lib/gdm/.config/user-dirs.dirs{,*} rw, + /var/lib/gdm/.config/user-dirs.locale rw, + /var/lib/gdm/@{XDG_DESKTOP_DIR}/ rw, + /var/lib/gdm/@{XDG_DOCUMENTS_DIR}/ rw, + /var/lib/gdm/@{XDG_DOWNLOAD_DIR}/ rw, + /var/lib/gdm/@{XDG_MUSIC_DIR}/ rw, + /var/lib/gdm/@{XDG_PICTURES_DIR}/ rw, + /var/lib/gdm/@{XDG_PUBLICSHARE_DIR}/ rw, + /var/lib/gdm/@{XDG_TEMPLATES_DIR}/ rw, + /var/lib/gdm/@{XDG_VIDEOS_DIR}/ rw, owner @{user_config_dirs}/user-dirs.dirs r,