diff --git a/apparmor.d/abstractions/python b/apparmor.d/abstractions/python index 11a4e997..9e85ddaa 100644 --- a/apparmor.d/abstractions/python +++ b/apparmor.d/abstractions/python @@ -39,5 +39,8 @@ # python build configuration and headers /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, + # Silencer + /{usr/,}lib/python3/** w, + # Include additions to the abstraction include if exists diff --git a/apparmor.d/apt b/apparmor.d/apt index ce40b243..c6ff19b7 100644 --- a/apparmor.d/apt +++ b/apparmor.d/apt @@ -67,7 +67,7 @@ profile apt @{exec_path} flags=(complain) { # Needed? (##FIXME##) capability kill, capability fsetid, - capability net_admin, + audit deny capability net_admin, signal (send) peer=apt-methods-*, diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get index 21405246..0e81a445 100644 --- a/apparmor.d/apt-get +++ b/apparmor.d/apt-get @@ -66,7 +66,7 @@ profile apt-get @{exec_path} flags=(complain) { # Needed? (##FIXME##) capability kill, capability fsetid, - capability net_admin, + audit deny capability net_admin, signal (send) peer=apt-methods-*, diff --git a/apparmor.d/apt-systemd-daily b/apparmor.d/apt-systemd-daily index bcc0fb93..2a4161ac 100644 --- a/apparmor.d/apt-systemd-daily +++ b/apparmor.d/apt-systemd-daily @@ -17,6 +17,10 @@ include profile apt-systemd-daily @{exec_path} { include + # Needed to remove the following error: + # apt.systemd.daily[]: find: ‘/var/cache/apt/archives/partial’: Permission denied + capability dac_read_search, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, @@ -29,6 +33,7 @@ profile apt-systemd-daily @{exec_path} { /{usr/,}bin/which rix, /{usr/,}bin/touch rix, /{usr/,}bin/basename rix, + /{usr/,}bin/dirname rix, /{usr/,}bin/date rix, /{usr/,}bin/find rix, /{usr/,}bin/du rix, @@ -37,6 +42,8 @@ profile apt-systemd-daily @{exec_path} { /{usr/,}bin/uniq rix, /{usr/,}bin/wc rix, /{usr/,}bin/seq rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/gzip rix, /{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-get rPx, @@ -49,11 +56,18 @@ profile apt-systemd-daily @{exec_path} { /var/lib/apt/extended_states r, - /var/backups/apt.extended_states.[0-9]* r, + /var/backups/ r, + /var/backups/apt.extended_states rw, + /var/backups/apt.extended_states.[0-9]* rw, + /var/backups/apt.extended_states.[0-9]*.gz w, /var/cache/apt/ r, /var/cache/apt/archives/ r, + /var/cache/apt/archives/partial/ r, + /var/cache/apt/archives/*.deb rw, /var/cache/apt/backup/ r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude index 91eaa14b..f6af1c82 100644 --- a/apparmor.d/aptitude +++ b/apparmor.d/aptitude @@ -67,7 +67,7 @@ profile aptitude @{exec_path} flags=(complain) { capability kill, capability fsetid, capability sys_chroot, - capability net_admin, + audit deny capability net_admin, #capability sys_tty_config, signal (send) peer=apt-methods-*, diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray index 6907c5eb..c6198a7d 100644 --- a/apparmor.d/birdtray +++ b/apparmor.d/birdtray @@ -29,7 +29,9 @@ profile birdtray @{exec_path} { include include - deny network netlink dgram, + network inet dgram, + network inet6 dgram, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd index 11377a41..82ca2d6b 100644 --- a/apparmor.d/bluetoothd +++ b/apparmor.d/bluetoothd @@ -22,7 +22,8 @@ profile bluetoothd @{exec_path} { capability net_admin, capability net_bind_service, - network bluetooth, + network bluetooth raw, + network bluetooth seqpacket, network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 4e833cce..175a0c33 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -174,9 +174,6 @@ profile calibre @{exec_path} { /etc/inputrc r, /etc/magic r, - # Silencer - deny /usr/lib/python3/dist-packages/**.pyc.[0-9]* w, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx index 14cff05d..43d7468d 100644 --- a/apparmor.d/check-bios-nx +++ b/apparmor.d/check-bios-nx @@ -43,9 +43,9 @@ profile check-bios-nx @{exec_path} { /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - /usr/lib/modprobe.d/ r, - /usr/lib/modprobe.d/*.conf r, - /usr/lib/modules/*/modules.* r, + /{usr/,}lib/modprobe.d/ r, + /{usr/,}lib/modprobe.d/*.conf r, + /{usr/,}lib/modules/*/modules.* r, @{PROC}/cmdline r, diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status index 40d9926f..30637c4c 100644 --- a/apparmor.d/check-support-status +++ b/apparmor.d/check-support-status @@ -14,15 +14,13 @@ abi , include @{exec_path} = /{usr/,}bin/check-support-status -profile check-support-status @{exec_path} flags=(complain) { +profile check-support-status @{exec_path} { include include @{exec_path} rix, /{usr/,}bin/{,ba,da}sh rix, - /etc/debian_version r, - /{usr/,}bin/ r, /{usr/,}bin/gettext.sh r, /{usr/,}bin/cat rix, @@ -53,7 +51,12 @@ profile check-support-status @{exec_path} flags=(complain) { /{usr/,}bin/debconf-escape rCx -> debconf-escape, + /etc/debian_version r, + + # For shell pwd / r, + owner @{HOME}/ r, + /tmp/ r, owner /tmp/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, @@ -66,7 +69,7 @@ profile check-support-status @{exec_path} flags=(complain) { /usr/share/debian-security-support/* r, - profile debconf-escape flags=(complain) { + profile debconf-escape { include include diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook index 09e5171b..9e7447b1 100644 --- a/apparmor.d/check-support-status-hook +++ b/apparmor.d/check-support-status-hook @@ -14,7 +14,7 @@ abi , include @{exec_path} = /usr/share/debian-security-support/check-support-status.hook -profile check-support-status-hook @{exec_path} flags=(complain) { +profile check-support-status-hook @{exec_path} { include include include @@ -53,7 +53,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /var/lib/debian-security-support/ r, - profile debconf-escape flags=(complain) { + profile debconf-escape { include include include @@ -66,7 +66,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { } - profile frontend flags=(complain) { + profile frontend { include include include @@ -98,7 +98,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { } - profile runuser flags=(complain) { + profile runuser { include include include diff --git a/apparmor.d/dhclient b/apparmor.d/dhclient index 421667c6..134c16cd 100644 --- a/apparmor.d/dhclient +++ b/apparmor.d/dhclient @@ -28,7 +28,7 @@ profile dhclient @{exec_path} { capability net_bind_service, # Needed? - #capability net_admin, + audit deny capability net_admin, audit deny capability sys_module, network inet dgram, diff --git a/apparmor.d/dkms b/apparmor.d/dkms index 6a70947d..96775363 100644 --- a/apparmor.d/dkms +++ b/apparmor.d/dkms @@ -58,7 +58,7 @@ profile dkms @{exec_path} { capability setuid, capability setgid, /proc/sys/kernel/osrelease r, - /usr/lib/linux-kbuild-*/tools/objtool/objtool rix, + /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, / r, /{usr/,}lib/modules/*/updates/ rw, diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index 7650fa95..5d92e170 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -65,14 +65,19 @@ profile engrampa @{exec_path} { owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/.fr-*/{,**} rw, + owner @{HOME}/.config/ r, owner @{HOME}/.config/mimeapps.list{,.*} rw, owner @{HOME}/.local/share/ r, /usr/share/engrampa/{,**} r, + /usr/share/**.desktop r, + /usr/share/**/icons/**.png r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/exim4 b/apparmor.d/exim4 index 17477a37..fdc86fad 100644 --- a/apparmor.d/exim4 +++ b/apparmor.d/exim4 @@ -19,27 +19,48 @@ profile exim4 @{exec_path} { include include - network inet, - network inet6, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, @{exec_path} mrix, + # To bind to port 25/tcp + capability net_bind_service, + + # To remove the following error: + # exim4[]: exim: setgroups() failed: Operation not permitted + capability setgid, + + # To remove the following error: + # exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher + capability setuid, + + # To remove the following error: + # exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110 capability dac_read_search, capability dac_override, - capability setgid, - capability setuid, + + # To remove the following error: + # exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not + # permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391 capability chown, + + # To remove the following error: + # Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted capability fowner, - capability net_bind_service, - # Sendmail - capability net_admin, + + # Needed? + audit deny capability net_admin, /var/lib/exim4/config.autogenerated{,.tmp} r, /etc/email-addresses r, /etc/aliases r, + deny /var/log/exim4/ w, /var/log/exim4/mainlog w, /var/log/exim4/paniclog w, diff --git a/apparmor.d/gajim b/apparmor.d/gajim index 41eda8c0..d52cf571 100644 --- a/apparmor.d/gajim +++ b/apparmor.d/gajim @@ -35,7 +35,7 @@ profile gajim @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} r, diff --git a/apparmor.d/gsimplecal b/apparmor.d/gsimplecal new file mode 100644 index 00000000..da2d77c1 --- /dev/null +++ b/apparmor.d/gsimplecal @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/gsimplecal +profile gsimplecal @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo index 5d471aba..c0ebd744 100644 --- a/apparmor.d/hardinfo +++ b/apparmor.d/hardinfo @@ -123,7 +123,6 @@ profile hardinfo @{exec_path} { # Silencer deny /usr/share/gdb/python/** w, - deny /usr/lib/python3/** w, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/htop b/apparmor.d/htop index b6e1dfd2..bf8acf86 100644 --- a/apparmor.d/htop +++ b/apparmor.d/htop @@ -30,7 +30,7 @@ profile htop @{exec_path} { capability sys_ptrace, # Needed? - capability net_admin, + audit deny capability net_admin, signal (send), ptrace (read), diff --git a/apparmor.d/iotop b/apparmor.d/iotop index 1f57e362..63920f72 100644 --- a/apparmor.d/iotop +++ b/apparmor.d/iotop @@ -19,7 +19,8 @@ profile iotop @{exec_path} { include include - capability net_admin, + # Needed? + audit deny capability net_admin, # To set processes' priorities capability sys_nice, diff --git a/apparmor.d/ip b/apparmor.d/ip index 2e9e4a73..56f39c0b 100644 --- a/apparmor.d/ip +++ b/apparmor.d/ip @@ -22,9 +22,8 @@ profile ip @{exec_path} flags=(attach_disconnected) { # To be able to manage network interfaces. capability net_admin, - #capability sys_admin, - # Needed? + #capability sys_admin, audit deny capability sys_module, network netlink raw, diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok index e89edc84..95932a23 100644 --- a/apparmor.d/kvm-ok +++ b/apparmor.d/kvm-ok @@ -43,8 +43,8 @@ profile kvm-ok @{exec_path} { /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - /usr/lib/modprobe.d/ r, - /usr/lib/modprobe.d/*.conf r, + /{usr/,}lib/modprobe.d/ r, + /{usr/,}lib/modprobe.d/*.conf r, @{PROC}/cmdline r, diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate index 070763de..d416746e 100644 --- a/apparmor.d/logrotate +++ b/apparmor.d/logrotate @@ -27,7 +27,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { capability setuid, capability fsetid, capability fowner, - capability net_admin, + + # Needed? + audit deny capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/macchanger b/apparmor.d/macchanger index d58383dc..4e905df8 100644 --- a/apparmor.d/macchanger +++ b/apparmor.d/macchanger @@ -17,11 +17,13 @@ include profile macchanger @{exec_path} { include + # To be able to set the MAC address: + # [ERROR] Could not change MAC: interface up or insufficient permissions: Operation not permitted capability net_admin, network inet dgram, network inet6 dgram, - + @{exec_path} mr, /usr/share/macchanger/*.list r, diff --git a/apparmor.d/minitube b/apparmor.d/minitube index 95d05fe9..8a0cf7af 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -36,8 +36,8 @@ profile minitube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/mpsyt b/apparmor.d/mpsyt index 171bb30c..9e236b54 100644 --- a/apparmor.d/mpsyt +++ b/apparmor.d/mpsyt @@ -68,8 +68,5 @@ profile mpsyt @{exec_path} { owner /tmp/mpsyt-input* rw, owner /tmp/mpsyt-mpv*.sock rw, - # Silencer - /usr/lib/python3/** w, - include if exists } diff --git a/apparmor.d/nft b/apparmor.d/nft index 8148d791..8690a2aa 100644 --- a/apparmor.d/nft +++ b/apparmor.d/nft @@ -18,6 +18,7 @@ profile nft @{exec_path} { include include + # To be able to run the nft command. capability net_admin, network netlink raw, diff --git a/apparmor.d/openbox b/apparmor.d/openbox index b6a46dc6..affffaf3 100644 --- a/apparmor.d/openbox +++ b/apparmor.d/openbox @@ -38,6 +38,7 @@ profile openbox @{exec_path} { /etc/xdg/openbox/* r, owner @{HOME}/ r, + owner @{HOME}/.config/openbox/ r, owner @{HOME}/.config/openbox/* r, owner @{HOME}/.config/obmenu-generator/icons/[0-9a-f]*.png r, diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn index c45a6304..f6ded7c0 100644 --- a/apparmor.d/openvpn +++ b/apparmor.d/openvpn @@ -29,7 +29,11 @@ profile openvpn @{exec_path} { include include + # Needed to remove the following errors: + # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) + # Exiting due to fatal error capability net_admin, + # These are needed when user/group are set in a OpenVPN config file capability setuid, capability setgid, @@ -75,6 +79,7 @@ profile openvpn @{exec_path} { include include + # To be able to manage firewall rules. capability net_admin, /etc/openvpn/update-resolv-conf.sh r, @@ -95,6 +100,7 @@ profile openvpn @{exec_path} { include include + # To be able to manage firewall rules. capability net_admin, network netlink raw, diff --git a/apparmor.d/picom b/apparmor.d/picom new file mode 100644 index 00000000..6ccaaaca --- /dev/null +++ b/apparmor.d/picom @@ -0,0 +1,46 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/picom{,-trans} +profile picom @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/sed rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/echo rix, + + # For migrating from compton. + owner @{HOME}/.config/compton.conf r, + + owner @{HOME}/.config/picom.conf r, + + owner @{HOME}/.Xauthority r, + + @{sys}/devices/pci[0-9]*/**/{uevent,vendor,device,subsystem_vendor,subsystem_device} r, + + owner @{PROC}/@{pid}/fd/ r, + + # file_inherit + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/polkitd b/apparmor.d/polkitd index 3410265a..54a78277 100644 --- a/apparmor.d/polkitd +++ b/apparmor.d/polkitd @@ -22,8 +22,8 @@ profile polkitd @{exec_path} { capability setuid, capability setgid, - # What's this for? - capability net_admin, + # Needed? + audit deny capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index c6b6d750..08a6d593 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -40,7 +40,7 @@ profile psi-plus @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent index 6e3490d7..702101ee 100644 --- a/apparmor.d/qbittorrent +++ b/apparmor.d/qbittorrent @@ -41,8 +41,8 @@ profile qbittorrent @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/qbittorrent-nox b/apparmor.d/qbittorrent-nox index eb80faa1..7eea7886 100644 --- a/apparmor.d/qbittorrent-nox +++ b/apparmor.d/qbittorrent-nox @@ -27,8 +27,8 @@ profile qbittorrent-nox @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi index 4230871d..de3e4db1 100644 --- a/apparmor.d/qnapi +++ b/apparmor.d/qnapi @@ -68,8 +68,8 @@ profile qnapi @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, - deny network netlink dgram, + network netlink raw, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug index 62219f8f..e30196fe 100644 --- a/apparmor.d/reportbug +++ b/apparmor.d/reportbug @@ -96,9 +96,6 @@ profile reportbug @{exec_path} { # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, - # Silencer - /usr/lib/python3/** w, - profile run-parts { include diff --git a/apparmor.d/rsyslogd b/apparmor.d/rsyslogd index 6affe0c3..f99170c0 100644 --- a/apparmor.d/rsyslogd +++ b/apparmor.d/rsyslogd @@ -23,17 +23,19 @@ profile rsyslogd @{exec_path} { include include + # Needed to remove the following error: + # rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. capability syslog, - # for remote logs + # For remote logs capability net_admin, - # Needed? - deny capability sys_nice, - # for creating new log files and changing their owner/group capability chown, + # Needed? + deny capability sys_nice, + @{exec_path} mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, diff --git a/apparmor.d/smartd b/apparmor.d/smartd index 41f34453..4fc97959 100644 --- a/apparmor.d/smartd +++ b/apparmor.d/smartd @@ -25,7 +25,8 @@ profile smartd @{exec_path} { # Device: /dev/disk/by-id/ata-*, not available capability sys_rawio, - capability net_admin, + # Needed? + deny capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/smtube b/apparmor.d/smtube index 462597bd..85df3f23 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -33,8 +33,8 @@ profile smtube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/spacefm b/apparmor.d/spacefm index 83a9d0ae..240a6f23 100644 --- a/apparmor.d/spacefm +++ b/apparmor.d/spacefm @@ -57,6 +57,9 @@ profile spacefm @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/fs/cgroup/**/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/**/cpu.cfs_period_us r, + # To read/write files in the system. The read permission is granted for all files, the write # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in # the list. diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index 3a2909a6..0bfcef51 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -40,8 +40,8 @@ profile strawberry @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/sudo b/apparmor.d/sudo index b8cd2a68..427128d2 100644 --- a/apparmor.d/sudo +++ b/apparmor.d/sudo @@ -38,6 +38,12 @@ profile sudo @{exec_path} { # Needed? (#FIXME#) capability sys_resource, + # To remove the following error: + # sudo: PAM account management error: Permission denied + # sudo: unable to open audit system: Permission denied + # sudo: a password is required + network netlink raw, + signal, @{exec_path} mr, diff --git a/apparmor.d/systemd-ac-power b/apparmor.d/systemd-ac-power new file mode 100644 index 00000000..80a4ac1b --- /dev/null +++ b/apparmor.d/systemd-ac-power @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-ac-power +profile systemd-ac-power @{exec_path} { + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/stat r, + + @{sys}/class/power_supply/ r, + + @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r, + @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r, + +} diff --git a/apparmor.d/systemd-backlight b/apparmor.d/systemd-backlight new file mode 100644 index 00000000..1108981d --- /dev/null +++ b/apparmor.d/systemd-backlight @@ -0,0 +1,49 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-backlight +profile systemd-backlight @{exec_path} flags=(complain) { + include + include + + # Needed? + deny capability net_admin, + + @{exec_path} mr, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/backlight/ r, + + @{sys}/devices/pci[0-9]*/**/class r, + @{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw, + @{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r, + + @{sys}/devices/platform/**/leds/*backlight*/uevent r, + @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, + @{sys}/devices/platform/**/leds/*backlight*/brightness rw, + + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + + /var/lib/systemd/backlight/*backlight* rw, + +} + diff --git a/apparmor.d/systemd-detect-virt b/apparmor.d/systemd-detect-virt new file mode 100644 index 00000000..353a0cb8 --- /dev/null +++ b/apparmor.d/systemd-detect-virt @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-detect-virt +profile systemd-detect-virt @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + + include if exists +} diff --git a/apparmor.d/systemd-fsck b/apparmor.d/systemd-fsck index 57571dd1..c4f30820 100644 --- a/apparmor.d/systemd-fsck +++ b/apparmor.d/systemd-fsck @@ -14,15 +14,17 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-fsck -profile systemd-fsck @{exec_path} flags=(complain) { +profile systemd-fsck @{exec_path} { include include include include - capability net_admin, capability sys_resource, + # Needed? + deny capability net_admin, + @{exec_path} mr, /{usr/,}sbin/fsck rPx, diff --git a/apparmor.d/systemd-fsckd b/apparmor.d/systemd-fsckd index 2facf213..91593c3c 100644 --- a/apparmor.d/systemd-fsckd +++ b/apparmor.d/systemd-fsckd @@ -14,14 +14,16 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} flags=(complain) { +profile systemd-fsckd @{exec_path} { include include include - capability net_admin, capability sys_tty_config, + # Needed? + deny capability net_admin, + @{exec_path} mr, owner @{run}/systemd/fsck.progress w, diff --git a/apparmor.d/systemd-hostnamed b/apparmor.d/systemd-hostnamed new file mode 100644 index 00000000..5a09fc10 --- /dev/null +++ b/apparmor.d/systemd-hostnamed @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed +profile systemd-hostnamed @{exec_path} { + include + include + + # To set a hostname + capability sys_admin, + + @{exec_path} mr, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + + /etc/hostname rw, + /etc/.#hostname* rw, + +} diff --git a/apparmor.d/systemd-localed b/apparmor.d/systemd-localed new file mode 100644 index 00000000..5cb58fcd --- /dev/null +++ b/apparmor.d/systemd-localed @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2018-2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-localed +profile systemd-localed @{exec_path} { + include + include + include + + # Needed? + audit deny capability net_admin, + + @{exec_path} mr, + + /etc/default/keyboard r, + + /etc/default/locale rw, + /etc/default/.#locale* rw, + + /usr/share/systemd/language-fallback-map r, + +} diff --git a/apparmor.d/systemd-modules-load b/apparmor.d/systemd-modules-load index 7010869c..84881bf6 100644 --- a/apparmor.d/systemd-modules-load +++ b/apparmor.d/systemd-modules-load @@ -21,7 +21,8 @@ profile systemd-modules-load @{exec_path} { # To load kernel modules capability sys_module, - capability net_admin, + # Needed? + audit deny capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill index 8010e594..cbde70e1 100644 --- a/apparmor.d/systemd-rfkill +++ b/apparmor.d/systemd-rfkill @@ -18,7 +18,8 @@ profile systemd-rfkill @{exec_path} { include include - capability net_admin, + # Needed? + audit deny capability net_admin, network netlink raw, diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop index 91a2120d..9c3fa1b3 100644 --- a/apparmor.d/telegram-desktop +++ b/apparmor.d/telegram-desktop @@ -40,8 +40,8 @@ profile telegram-desktop @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/tint2 b/apparmor.d/tint2 index 4eed94a5..ad1ef41a 100644 --- a/apparmor.d/tint2 +++ b/apparmor.d/tint2 @@ -22,7 +22,7 @@ profile tint2 @{exec_path} { include include - deny network netlink dgram, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/wavemon b/apparmor.d/wavemon index bc07f682..d8cfc009 100644 --- a/apparmor.d/wavemon +++ b/apparmor.d/wavemon @@ -20,6 +20,12 @@ profile wavemon @{exec_path} { # To scan WiFi networks capability net_admin, + network inet dgram, + network inet6 dgram, + # Needed to remove the following error: + # wavemon: failed to connect to GeNetlink: Permission denied + network netlink raw, + @{exec_path} mr, owner @{HOME}/.wavemonrc rw, diff --git a/apparmor.d/wrmsr b/apparmor.d/wrmsr index 302e1db9..bcb4ab52 100644 --- a/apparmor.d/wrmsr +++ b/apparmor.d/wrmsr @@ -14,7 +14,7 @@ abi , include @{exec_path} = /{usr/,}sbin/wrmsr -profile wrmsr @{exec_path} flags=(complain) { +profile wrmsr @{exec_path} { include # To access /dev/cpu/*/msr .