update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2020-12-24 13:55:12 +01:00
parent 156f5d4e3b
commit 756e2071e1
Failed to generate hash of commit
55 changed files with 398 additions and 75 deletions

View file

@ -39,5 +39,8 @@
# python build configuration and headers # python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
# Silencer
/{usr/,}lib/python3/** w,
# Include additions to the abstraction # Include additions to the abstraction
include if exists <abstractions/python.d> include if exists <abstractions/python.d>

View file

@ -67,7 +67,7 @@ profile apt @{exec_path} flags=(complain) {
# Needed? (##FIXME##) # Needed? (##FIXME##)
capability kill, capability kill,
capability fsetid, capability fsetid,
capability net_admin, audit deny capability net_admin,
signal (send) peer=apt-methods-*, signal (send) peer=apt-methods-*,

View file

@ -66,7 +66,7 @@ profile apt-get @{exec_path} flags=(complain) {
# Needed? (##FIXME##) # Needed? (##FIXME##)
capability kill, capability kill,
capability fsetid, capability fsetid,
capability net_admin, audit deny capability net_admin,
signal (send) peer=apt-methods-*, signal (send) peer=apt-methods-*,

View file

@ -17,6 +17,10 @@ include <tunables/global>
profile apt-systemd-daily @{exec_path} { profile apt-systemd-daily @{exec_path} {
include <abstractions/base> include <abstractions/base>
# Needed to remove the following error:
# apt.systemd.daily[]: find: /var/cache/apt/archives/partial: Permission denied
capability dac_read_search,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
@ -29,6 +33,7 @@ profile apt-systemd-daily @{exec_path} {
/{usr/,}bin/which rix, /{usr/,}bin/which rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/du rix, /{usr/,}bin/du rix,
@ -37,6 +42,8 @@ profile apt-systemd-daily @{exec_path} {
/{usr/,}bin/uniq rix, /{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix, /{usr/,}bin/wc rix,
/{usr/,}bin/seq rix, /{usr/,}bin/seq rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx, /{usr/,}bin/apt-get rPx,
@ -49,11 +56,18 @@ profile apt-systemd-daily @{exec_path} {
/var/lib/apt/extended_states r, /var/lib/apt/extended_states r,
/var/backups/apt.extended_states.[0-9]* r, /var/backups/ r,
/var/backups/apt.extended_states rw,
/var/backups/apt.extended_states.[0-9]* rw,
/var/backups/apt.extended_states.[0-9]*.gz w,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/archives/ r, /var/cache/apt/archives/ r,
/var/cache/apt/archives/partial/ r,
/var/cache/apt/archives/*.deb rw,
/var/cache/apt/backup/ r, /var/cache/apt/backup/ r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-systemd-daily> include if exists <local/apt-systemd-daily>
} }

View file

@ -67,7 +67,7 @@ profile aptitude @{exec_path} flags=(complain) {
capability kill, capability kill,
capability fsetid, capability fsetid,
capability sys_chroot, capability sys_chroot,
capability net_admin, audit deny capability net_admin,
#capability sys_tty_config, #capability sys_tty_config,
signal (send) peer=apt-methods-*, signal (send) peer=apt-methods-*,

View file

@ -29,7 +29,9 @@ profile birdtray @{exec_path} {
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
deny network netlink dgram, network inet dgram,
network inet6 dgram,
network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -22,7 +22,8 @@ profile bluetoothd @{exec_path} {
capability net_admin, capability net_admin,
capability net_bind_service, capability net_bind_service,
network bluetooth, network bluetooth raw,
network bluetooth seqpacket,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -174,9 +174,6 @@ profile calibre @{exec_path} {
/etc/inputrc r, /etc/inputrc r,
/etc/magic r, /etc/magic r,
# Silencer
deny /usr/lib/python3/dist-packages/**.pyc.[0-9]* w,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

View file

@ -43,9 +43,9 @@ profile check-bios-nx @{exec_path} {
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,
/usr/lib/modprobe.d/ r, /{usr/,}lib/modprobe.d/ r,
/usr/lib/modprobe.d/*.conf r, /{usr/,}lib/modprobe.d/*.conf r,
/usr/lib/modules/*/modules.* r, /{usr/,}lib/modules/*/modules.* r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

View file

@ -14,15 +14,13 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/check-support-status @{exec_path} = /{usr/,}bin/check-support-status
profile check-support-status @{exec_path} flags=(complain) { profile check-support-status @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} rix, @{exec_path} rix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/etc/debian_version r,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/gettext.sh r, /{usr/,}bin/gettext.sh r,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
@ -53,7 +51,12 @@ profile check-support-status @{exec_path} flags=(complain) {
/{usr/,}bin/debconf-escape rCx -> debconf-escape, /{usr/,}bin/debconf-escape rCx -> debconf-escape,
/etc/debian_version r,
# For shell pwd
/ r, / r,
owner @{HOME}/ r,
/tmp/ r, /tmp/ r,
owner /tmp/debian-security-support.*/{,**} rw, owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w, /tmp/debian-security-support.postinst.*/output w,
@ -66,7 +69,7 @@ profile check-support-status @{exec_path} flags=(complain) {
/usr/share/debian-security-support/* r, /usr/share/debian-security-support/* r,
profile debconf-escape flags=(complain) { profile debconf-escape {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>

View file

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/share/debian-security-support/check-support-status.hook @{exec_path} = /usr/share/debian-security-support/check-support-status.hook
profile check-support-status-hook @{exec_path} flags=(complain) { profile check-support-status-hook @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -53,7 +53,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/var/lib/debian-security-support/ r, /var/lib/debian-security-support/ r,
profile debconf-escape flags=(complain) { profile debconf-escape {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/perl> include <abstractions/perl>
@ -66,7 +66,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
} }
profile frontend flags=(complain) { profile frontend {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/perl> include <abstractions/perl>
@ -98,7 +98,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
} }
profile runuser flags=(complain) { profile runuser {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

View file

@ -28,7 +28,7 @@ profile dhclient @{exec_path} {
capability net_bind_service, capability net_bind_service,
# Needed? # Needed?
#capability net_admin, audit deny capability net_admin,
audit deny capability sys_module, audit deny capability sys_module,
network inet dgram, network inet dgram,

View file

@ -58,7 +58,7 @@ profile dkms @{exec_path} {
capability setuid, capability setuid,
capability setgid, capability setgid,
/proc/sys/kernel/osrelease r, /proc/sys/kernel/osrelease r,
/usr/lib/linux-kbuild-*/tools/objtool/objtool rix, /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
/ r, / r,
/{usr/,}lib/modules/*/updates/ rw, /{usr/,}lib/modules/*/updates/ rw,

View file

@ -65,14 +65,19 @@ profile engrampa @{exec_path} {
owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/.fr-*/{,**} rw, owner @{HOME}/.cache/.fr-*/{,**} rw,
owner @{HOME}/.config/ r,
owner @{HOME}/.config/mimeapps.list{,.*} rw, owner @{HOME}/.config/mimeapps.list{,.*} rw,
owner @{HOME}/.local/share/ r, owner @{HOME}/.local/share/ r,
/usr/share/engrampa/{,**} r, /usr/share/engrampa/{,**} r,
/usr/share/**.desktop r,
/usr/share/**/icons/**.png r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,

View file

@ -19,27 +19,48 @@ profile exim4 @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet, network inet dgram,
network inet6, network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,
# To bind to port 25/tcp
capability net_bind_service,
# To remove the following error:
# exim4[]: exim: setgroups() failed: Operation not permitted
capability setgid,
# To remove the following error:
# exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher
capability setuid,
# To remove the following error:
# exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110
capability dac_read_search, capability dac_read_search,
capability dac_override, capability dac_override,
capability setgid,
capability setuid, # To remove the following error:
# exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not
# permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391
capability chown, capability chown,
# To remove the following error:
# Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted
capability fowner, capability fowner,
capability net_bind_service,
# Sendmail # Needed?
capability net_admin, audit deny capability net_admin,
/var/lib/exim4/config.autogenerated{,.tmp} r, /var/lib/exim4/config.autogenerated{,.tmp} r,
/etc/email-addresses r, /etc/email-addresses r,
/etc/aliases r, /etc/aliases r,
deny /var/log/exim4/ w,
/var/log/exim4/mainlog w, /var/log/exim4/mainlog w,
/var/log/exim4/paniclog w, /var/log/exim4/paniclog w,

View file

@ -35,7 +35,7 @@ profile gajim @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
@{exec_path} r, @{exec_path} r,

26
apparmor.d/gsimplecal Normal file
View file

@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gsimplecal
profile gsimplecal @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@{exec_path} mr,
include if exists <local/gsimplecal>
}

View file

@ -123,7 +123,6 @@ profile hardinfo @{exec_path} {
# Silencer # Silencer
deny /usr/share/gdb/python/** w, deny /usr/share/gdb/python/** w,
deny /usr/lib/python3/** w,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

View file

@ -30,7 +30,7 @@ profile htop @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
# Needed? # Needed?
capability net_admin, audit deny capability net_admin,
signal (send), signal (send),
ptrace (read), ptrace (read),

View file

@ -19,7 +19,8 @@ profile iotop @{exec_path} {
include <abstractions/python> include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability net_admin, # Needed?
audit deny capability net_admin,
# To set processes' priorities # To set processes' priorities
capability sys_nice, capability sys_nice,

View file

@ -22,9 +22,8 @@ profile ip @{exec_path} flags=(attach_disconnected) {
# To be able to manage network interfaces. # To be able to manage network interfaces.
capability net_admin, capability net_admin,
#capability sys_admin,
# Needed? # Needed?
#capability sys_admin,
audit deny capability sys_module, audit deny capability sys_module,
network netlink raw, network netlink raw,

View file

@ -43,8 +43,8 @@ profile kvm-ok @{exec_path} {
/etc/modprobe.d/ r, /etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r, /etc/modprobe.d/*.conf r,
/usr/lib/modprobe.d/ r, /{usr/,}lib/modprobe.d/ r,
/usr/lib/modprobe.d/*.conf r, /{usr/,}lib/modprobe.d/*.conf r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

View file

@ -27,7 +27,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
capability setuid, capability setuid,
capability fsetid, capability fsetid,
capability fowner, capability fowner,
capability net_admin,
# Needed?
audit deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,

View file

@ -17,11 +17,13 @@ include <tunables/global>
profile macchanger @{exec_path} { profile macchanger @{exec_path} {
include <abstractions/base> include <abstractions/base>
# To be able to set the MAC address:
# [ERROR] Could not change MAC: interface up or insufficient permissions: Operation not permitted
capability net_admin, capability net_admin,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@{exec_path} mr, @{exec_path} mr,
/usr/share/macchanger/*.list r, /usr/share/macchanger/*.list r,

View file

@ -36,8 +36,8 @@ profile minitube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -68,8 +68,5 @@ profile mpsyt @{exec_path} {
owner /tmp/mpsyt-input* rw, owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw, owner /tmp/mpsyt-mpv*.sock rw,
# Silencer
/usr/lib/python3/** w,
include if exists <local/mpsyt> include if exists <local/mpsyt>
} }

View file

@ -18,6 +18,7 @@ profile nft @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to run the nft command.
capability net_admin, capability net_admin,
network netlink raw, network netlink raw,

View file

@ -38,6 +38,7 @@ profile openbox @{exec_path} {
/etc/xdg/openbox/* r, /etc/xdg/openbox/* r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.config/openbox/ r,
owner @{HOME}/.config/openbox/* r, owner @{HOME}/.config/openbox/* r,
owner @{HOME}/.config/obmenu-generator/icons/[0-9a-f]*.png r, owner @{HOME}/.config/obmenu-generator/icons/[0-9a-f]*.png r,

View file

@ -29,7 +29,11 @@ profile openvpn @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
# Needed to remove the following errors:
# ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
# Exiting due to fatal error
capability net_admin, capability net_admin,
# These are needed when user/group are set in a OpenVPN config file # These are needed when user/group are set in a OpenVPN config file
capability setuid, capability setuid,
capability setgid, capability setgid,
@ -75,6 +79,7 @@ profile openvpn @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to manage firewall rules.
capability net_admin, capability net_admin,
/etc/openvpn/update-resolv-conf.sh r, /etc/openvpn/update-resolv-conf.sh r,
@ -95,6 +100,7 @@ profile openvpn @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to manage firewall rules.
capability net_admin, capability net_admin,
network netlink raw, network netlink raw,

46
apparmor.d/picom Normal file
View file

@ -0,0 +1,46 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/picom{,-trans}
profile picom @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/nameservice-strict>
include <abstractions/mesa-cache-write>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
/{usr/,}bin/sed rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
# For migrating from compton.
owner @{HOME}/.config/compton.conf r,
owner @{HOME}/.config/picom.conf r,
owner @{HOME}/.Xauthority r,
@{sys}/devices/pci[0-9]*/**/{uevent,vendor,device,subsystem_vendor,subsystem_device} r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/picom>
}

View file

@ -22,8 +22,8 @@ profile polkitd @{exec_path} {
capability setuid, capability setuid,
capability setgid, capability setgid,
# What's this for? # Needed?
capability net_admin, audit deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,

View file

@ -40,7 +40,7 @@ profile psi-plus @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -41,8 +41,8 @@ profile qbittorrent @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -27,8 +27,8 @@ profile qbittorrent-nox @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -68,8 +68,8 @@ profile qnapi @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink raw, network netlink raw,
deny network netlink dgram, network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -96,9 +96,6 @@ profile reportbug @{exec_path} {
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx, /{usr/,}lib/firefox/firefox rPUx,
# Silencer
/usr/lib/python3/** w,
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>

View file

@ -23,17 +23,19 @@ profile rsyslogd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice>
# Needed to remove the following error:
# rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
capability syslog, capability syslog,
# for remote logs # For remote logs
capability net_admin, capability net_admin,
# Needed?
deny capability sys_nice,
# for creating new log files and changing their owner/group # for creating new log files and changing their owner/group
capability chown, capability chown,
# Needed?
deny capability sys_nice,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/@{multiarch}/rsyslog/*.so mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,

View file

@ -25,7 +25,8 @@ profile smartd @{exec_path} {
# Device: /dev/disk/by-id/ata-*, not available # Device: /dev/disk/by-id/ata-*, not available
capability sys_rawio, capability sys_rawio,
capability net_admin, # Needed?
deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,

View file

@ -33,8 +33,8 @@ profile smtube @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -57,6 +57,9 @@ profile spacefm @{exec_path} {
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/fs/cgroup/**/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/**/cpu.cfs_period_us r,
# To read/write files in the system. The read permission is granted for all files, the write # To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
# the list. # the list.

View file

@ -40,8 +40,8 @@ profile strawberry @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -38,6 +38,12 @@ profile sudo @{exec_path} {
# Needed? (#FIXME#) # Needed? (#FIXME#)
capability sys_resource, capability sys_resource,
# To remove the following error:
# sudo: PAM account management error: Permission denied
# sudo: unable to open audit system: Permission denied
# sudo: a password is required
network netlink raw,
signal, signal,
@{exec_path} mr, @{exec_path} mr,

View file

@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-ac-power
profile systemd-ac-power @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
owner @{PROC}/@{pid}/stat r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
@{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
}

View file

@ -0,0 +1,49 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-backlight
profile systemd-backlight @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>
# Needed?
deny capability net_admin,
@{exec_path} mr,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/backlight/ r,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw,
@{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r,
@{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r,
@{sys}/devices/platform/**/leds/*backlight*/uevent r,
@{sys}/devices/platform/**/leds/*backlight*/max_brightness r,
@{sys}/devices/platform/**/leds/*backlight*/brightness rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,
/var/lib/systemd/backlight/*backlight* rw,
}

View file

@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-detect-virt
profile systemd-detect-virt @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@{exec_path} mr,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
include if exists <local/systemd-detect-virt>
}

View file

@ -14,15 +14,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsck @{exec_path} = /{usr/,}lib/systemd/systemd-fsck
profile systemd-fsck @{exec_path} flags=(complain) { profile systemd-fsck @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin,
capability sys_resource, capability sys_resource,
# Needed?
deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}sbin/fsck rPx, /{usr/,}sbin/fsck rPx,

View file

@ -14,14 +14,16 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd @{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
profile systemd-fsckd @{exec_path} flags=(complain) { profile systemd-fsckd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin,
capability sys_tty_config, capability sys_tty_config,
# Needed?
deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,
owner @{run}/systemd/fsck.progress w, owner @{run}/systemd/fsck.progress w,

View file

@ -0,0 +1,35 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
profile systemd-hostnamed @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
# To set a hostname
capability sys_admin,
@{exec_path} mr,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
/etc/hostname rw,
/etc/.#hostname* rw,
}

View file

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2018-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-localed
profile systemd-localed @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common>
# Needed?
audit deny capability net_admin,
@{exec_path} mr,
/etc/default/keyboard r,
/etc/default/locale rw,
/etc/default/.#locale* rw,
/usr/share/systemd/language-fallback-map r,
}

View file

@ -21,7 +21,8 @@ profile systemd-modules-load @{exec_path} {
# To load kernel modules # To load kernel modules
capability sys_module, capability sys_module,
capability net_admin, # Needed?
audit deny capability net_admin,
@{exec_path} mr, @{exec_path} mr,

View file

@ -18,7 +18,8 @@ profile systemd-rfkill @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin, # Needed?
audit deny capability net_admin,
network netlink raw, network netlink raw,

View file

@ -40,8 +40,8 @@ profile telegram-desktop @{exec_path} {
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
deny network netlink dgram, network netlink dgram,
deny network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View file

@ -22,7 +22,7 @@ profile tint2 @{exec_path} {
include <abstractions/deny-root-dir-access> include <abstractions/deny-root-dir-access>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
deny network netlink dgram, network netlink dgram,
@{exec_path} mr, @{exec_path} mr,

View file

@ -20,6 +20,12 @@ profile wavemon @{exec_path} {
# To scan WiFi networks # To scan WiFi networks
capability net_admin, capability net_admin,
network inet dgram,
network inet6 dgram,
# Needed to remove the following error:
# wavemon: failed to connect to GeNetlink: Permission denied
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.wavemonrc rw, owner @{HOME}/.wavemonrc rw,

View file

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/wrmsr @{exec_path} = /{usr/,}sbin/wrmsr
profile wrmsr @{exec_path} flags=(complain) { profile wrmsr @{exec_path} {
include <abstractions/base> include <abstractions/base>
# To access /dev/cpu/*/msr . # To access /dev/cpu/*/msr .