From 779853dc7f0158ecca917627c0278f3f12117271 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:51:37 +0100 Subject: [PATCH] feat(profiles): new definition for MOUNTs, add MOUNTDIRS. --- apparmor.d/abstractions/user-download-strict | 4 +- apparmor.d/abstractions/user-write.d/complete | 14 ++--- apparmor.d/groups/apps/android-studio | 4 +- apparmor.d/groups/apps/atom | 6 +-- apparmor.d/groups/apps/calibre | 6 +-- apparmor.d/groups/apps/code | 5 +- apparmor.d/groups/apps/filezilla | 4 +- apparmor.d/groups/apt/apt-cdrom | 10 ++-- apparmor.d/groups/gpg/dirmngr | 10 ++-- apparmor.d/groups/gpg/gpg | 2 +- apparmor.d/groups/gpg/gpg-agent | 12 ++--- apparmor.d/groups/gvfs/gvfsd-archive | 2 +- apparmor.d/groups/gvfs/gvfsd-mtp | 2 +- apparmor.d/groups/gvfs/gvfsd-recent | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/blkid | 4 +- apparmor.d/profiles-a-f/borg | 6 +-- apparmor.d/profiles-a-f/btrfs | 10 ++-- apparmor.d/profiles-a-f/btrfs-find-root | 4 +- apparmor.d/profiles-a-f/btrfs-image | 4 +- apparmor.d/profiles-a-f/btrfs-map-logical | 4 +- apparmor.d/profiles-a-f/cfdisk | 6 +-- apparmor.d/profiles-a-f/cgdisk | 6 +-- apparmor.d/profiles-a-f/dumpe2fs | 4 +- apparmor.d/profiles-a-f/e2fsck | 4 +- apparmor.d/profiles-a-f/e2image | 4 +- apparmor.d/profiles-a-f/f3read | 8 +-- apparmor.d/profiles-a-f/f3write | 8 +-- apparmor.d/profiles-a-f/fdisk | 6 +-- apparmor.d/profiles-a-f/fsck | 2 +- apparmor.d/profiles-a-f/fsck-fat | 4 +- apparmor.d/profiles-a-f/fuseiso | 8 +-- apparmor.d/profiles-g-l/gdisk | 6 +-- apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/hdparm | 4 +- apparmor.d/profiles-g-l/keepassxc-proxy | 2 +- apparmor.d/profiles-m-r/megasync | 9 +--- apparmor.d/profiles-m-r/mke2fs | 4 +- apparmor.d/profiles-m-r/mkfs-btrfs | 4 +- apparmor.d/profiles-m-r/mkfs-fat | 4 +- apparmor.d/profiles-m-r/mount | 4 +- apparmor.d/profiles-m-r/mount-cifs | 13 +++-- apparmor.d/profiles-m-r/mount-nfs | 13 +++-- apparmor.d/profiles-m-r/mtools | 4 +- apparmor.d/profiles-m-r/ntfs-3g | 51 +++++++++---------- apparmor.d/profiles-m-r/ntfsclone | 2 +- apparmor.d/profiles-m-r/obex-folder-listing | 4 +- apparmor.d/profiles-m-r/parted | 4 +- apparmor.d/profiles-m-r/qbittorrent | 10 ++-- apparmor.d/profiles-m-r/qnapi | 9 ++-- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/resize2fs | 4 +- apparmor.d/profiles-s-z/s3fs | 10 ++-- apparmor.d/profiles-s-z/sfdisk | 4 +- apparmor.d/profiles-s-z/sgdisk | 6 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/strawberry-tagreader | 2 +- apparmor.d/profiles-s-z/tune2fs | 4 +- apparmor.d/profiles-s-z/udisksd | 20 ++++---- apparmor.d/profiles-s-z/virt-manager | 7 ++- apparmor.d/tunables/extend | 10 +++- 62 files changed, 198 insertions(+), 203 deletions(-) diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index e6dc6e8f..935bbbb0 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -7,8 +7,8 @@ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl, + owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r, + owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 0ffe6622..6775f9dc 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -9,10 +9,10 @@ owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index f4c7913d..ca89ccec 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -6,8 +6,8 @@ abi , include -@{AS_LIBDIR} = @{MOUNTS}/*/android-studio -@{AS_SDKDIR} = @{MOUNTS}/*/SDK +@{AS_LIBDIR} = @{MOUNTS}/android-studio +@{AS_SDKDIR} = @{MOUNTS}/SDK @{AS_HOMEDIR} = @{HOME}/.AndroidStudio* @{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 65d29290..a8933715 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -87,9 +87,9 @@ profile atom @{exec_path} { # Git dirs / r, @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/atom/ r, - owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, owner @{user_config_dirs}/git/config r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index daf63e0a..f4082f1e 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -78,9 +78,9 @@ profile calibre @{exec_path} { owner @{HOME}/@{XDG_BOOKS_DIR} rw, owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index 0ece93b0..f941d070 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -66,9 +66,8 @@ profile code @{exec_path} { # Git dirs / r, @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/code/ r, - owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, /etc/fstab r, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 85ea3cf7..ac97ac6e 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -56,8 +56,8 @@ profile filezilla @{exec_path} { /{usr/,}lib/firefox/firefox rPUx, # FTP share folder - owner @{MOUNTS}/*/ftp/ r, - owner @{MOUNTS}/*/ftp/** rw, + owner @{MOUNTS}/ftp/ r, + owner @{MOUNTS}/ftp/** rw, # Silencer / r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index dd703329..3dcdf22d 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/**/ r, - @{MOUNTS}/*/*/.disk/info r, - @{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/*/ r, + @{MOUNTS}/*/**/ r, + @{MOUNTS}/*/.disk/info r, + @{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 95e9296b..bd53411b 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -29,11 +29,11 @@ profile dirmngr @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40bfaea5..9955daf5 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -77,7 +77,7 @@ profile gpg @{exec_path} { # Verify files owner @{HOME}/** r, - owner @{MOUNTS}/*/** r, + owner @{MOUNTS}/** r, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 38ba5378..00c33346 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -29,12 +29,12 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index ed9b3aa2..6694eafb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -20,7 +20,7 @@ profile gvfsd-archive @{exec_path} { owner @{HOME}/**.{tar,tar.gz,zip} r, owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 2e83b079..2d09516a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -24,7 +24,7 @@ profile gvfsd-mtp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 072e6be0..35d08324 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -19,7 +19,7 @@ profile gvfsd-recent @{exec_path} { # Full access to user's data owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 906aff69..7b2913f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} { # Can restore all user files owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index f1c2ddce..d8f9b79b 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -19,7 +19,7 @@ profile badblocks @{exec_path} { # A place for a list of already existing known bad blocks @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 3d834202..1d3735e8 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -31,9 +31,9 @@ profile blkid @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 304d97c0..1bd177a7 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -35,10 +35,10 @@ profile borg @{exec_path} { /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/fusermount{,3} rCx -> fusermount, + mount fstype=fuse -> @{MOUNTS}/, mount fstype=fuse -> @{MOUNTS}/*/, - mount fstype=fuse -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, /dev/fuse rw, @@ -114,8 +114,8 @@ profile borg @{exec_path} { /etc/fuse.conf r, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index b691e0d2..bff4395c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -33,18 +33,18 @@ profile btrfs @{exec_path} { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, # Saved metadata + @{MOUNTS}/ r, + @{MOUNTS}/ext2_saved/ rw, + @{MOUNTS}/ext2_saved/image rw, @{MOUNTS}/*/ r, @{MOUNTS}/*/ext2_saved/ rw, @{MOUNTS}/*/ext2_saved/image rw, - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/ext2_saved/ rw, - @{MOUNTS}/*/*/ext2_saved/image rw, # To be able to manage btrfs volumes owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, /dev/btrfs-control rw, diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 6135885c..5eb562f7 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 50061b82..3aecf3be 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} { # Image files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index 344f4d02..81d28128 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 45aeb0b7..deb4be1a 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -25,13 +25,13 @@ profile cfdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 231de791..a94b85bd 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -17,13 +17,13 @@ profile cgdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 35f922c7..8e7ee6bc 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -19,9 +19,9 @@ profile dumpe2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 14c1e26f..e7c2cfb5 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -28,9 +28,9 @@ profile e2fsck @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b61bf1fd..7cd9ebe2 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -19,9 +19,9 @@ profile e2image @{exec_path} { # A place for the metadata image file owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 044ba498..9ff0d7ad 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -13,14 +13,14 @@ profile f3read @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to read h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w r, + owner @{MOUNTS}/[0-9]*.h2w r, owner @{MOUNTS}/*/[0-9]*.h2w r, - owner @{MOUNTS}/*/*/[0-9]*.h2w r, - owner /mnt/[0-9]*.h2w r, include if exists } diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index d053e929..14145347 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -17,14 +17,14 @@ profile f3write @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to write h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w w, + owner @{MOUNTS}/[0-9]*.h2w w, owner @{MOUNTS}/*/[0-9]*.h2w w, - owner @{MOUNTS}/*/*/[0-9]*.h2w w, - owner /mnt/[0-9]*.h2w w, include if exists } diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 5f023da4..5c0f9769 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -27,13 +27,13 @@ profile fdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index fc56b1c7..7d5adbfa 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -24,7 +24,7 @@ profile fsck @{exec_path} { /etc/fstab r, # When a mount dir is passed to fsck as an argument. - @{MOUNTS}/*/ r, + @{MOUNTS}/ r, /boot/ r, /home/ r, diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index 993475b6..d17e06e2 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 6b658ee1..3dccb5c7 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -27,9 +27,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{HOME}/.mtab.fuseiso rwk, owner @{HOME}/.mtab.fuseiso.new rw, @@ -60,9 +60,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, } diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 66354c43..2b501e69 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -24,13 +24,13 @@ profile gdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 42e6f0ca..7cd08c62 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -153,8 +153,8 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, + mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @@ -176,8 +176,8 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, umount /boot/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index b3ba2f2a..7c0748a3 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -30,9 +30,9 @@ profile hdparm @{exec_path} flags=(complain) { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index ae24a13c..008f9569 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -29,7 +29,7 @@ profile keepassxc-proxy @{exec_path} { # deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, - deny owner @{MOUNTS}/*/.mozilla/** rw, + deny owner @{MOUNTS}/.mozilla/** rw, deny owner /tmp/firefox*/.parentlock rw, deny owner /tmp/tmp-*.xpi rw, deny owner /tmp/tmpaddon r, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 96e479d6..1513de37 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -6,8 +6,6 @@ abi , include -@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage - @{exec_path} = /{usr/,}bin/megasync profile megasync @{exec_path} { include @@ -55,11 +53,8 @@ profile megasync @{exec_path} { owner @{user_config_dirs}/QtProject.conf r, # Sync folder - #/ r, - #@{MOUNTS}/ r, - #@{MOUNTS}/*/ r, - owner @{SYNC_FOLDER}/ r, - owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**, + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, # Proc filesystem deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index e691740e..c25377a3 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -30,9 +30,9 @@ profile mke2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 9613134a..191bb035 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 8e946c9e..441dc271 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index fe13d31a..f732aa98 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -45,9 +45,9 @@ profile mount @{exec_path} flags=(complain) { # Mount iso/img files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # The special /dev/loop-control file can be used to create and destroy loop devices or to find # the first available loop device. diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 80c23b8d..3724dd4b 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -30,19 +30,18 @@ profile mount-cifs @{exec_path} flags=(complain) { owner @{HOME}/.smbcredentials r, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, mount fstype=cifs -> @{MOUNTS}/*/, - mount fstype=cifs -> @{MOUNTS}/*/*/, - mount fstype=cifs -> /mnt/, - mount fstype=cifs -> /mnt/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 69c86061..1983e1bf 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -45,21 +45,20 @@ profile mount-nfs @{exec_path} flags=(complain) { owner @{run}/rpc.statd.lock wk, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=nfs -> @{MOUNTDIRS}/, + mount fstype=nfs -> @{MOUNTS}/, mount fstype=nfs -> @{MOUNTS}/*/, - mount fstype=nfs -> @{MOUNTS}/*/*/, - mount fstype=nfs -> /mnt/, - mount fstype=nfs -> /mnt/*/, mount fstype=nfs -> /, mount fstype=nfs -> /*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, umount /, umount /*/, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index f68fa31f..5f7b20c9 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -25,9 +25,9 @@ profile mtools @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index faf590df..94014b46 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} { @{exec_path} mr, - @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pid}/mounts r, + /{usr/,}bin/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + + # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + + # Allow to mount encrypted partition + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, - # Mount points - @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - - # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, - - # Allow to mount encrypted partition - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/, - - umount @{MOUNTS}/*/, - umount /mnt/*/, - - # kmod is used to load the fuse kernel module - /{usr/,}bin/kmod rPx, - include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index cf4c5edd..713cbbe0 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} { # A place for backups @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index 3bc0b3ac..8e134416 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} { owner @{HOME}/ r, owner @{HOME}/**/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/**/ r, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/**/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 40209d49..eeb46bdf 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -70,9 +70,9 @@ profile parted @{exec_path} { # file_inherit include # lots of files in this abstraction get inherited owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, } diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 96560c7c..2eab25a4 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -7,7 +7,7 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent +@{TORRENT_DIR} = @{MOUNTS}/torrent @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { @@ -241,9 +241,9 @@ profile qbittorrent @{exec_path} { owner @{run}/user/@{uid}/ r, # file_inherit - owner @{MOUNTS}/*/torrent/** r, - owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw, - owner "@{MOUNTS}/*/torrent/**.!qB" rw, + owner @{MOUNTS}/torrent/** r, + owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw, + owner "@{MOUNTS}/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, @@ -291,7 +291,7 @@ profile qbittorrent @{exec_path} { owner /tmp/tmp* rw, # file_inherit - owner @{MOUNTS}/*/torrent/** r, + owner @{MOUNTS}/torrent/** r, deny /dev/dri/card[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index e143633a..4bb66130 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -74,11 +74,10 @@ profile qnapi @{exec_path} { # Movie dirs @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/** r, - owner @{MOUNTS}/*/**#[0-9]*[0-9] rw, - owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r, - owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9], + owner @{MOUNTS}/** r, + owner @{MOUNTS}/**#[0-9]*[0-9] rw, + owner @{MOUNTS}/**.@{qnapi_vid_ext} r, + owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9], owner @{HOME}/ r, owner @{user_config_dirs}/qnapi.ini rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index c8a3bcaa..34323ba8 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -34,7 +34,7 @@ profile qtox @{exec_path} { # For importing old profile owner @{HOME}/**.tox r, - owner @{MOUNTS}/*/**.tox r, + owner @{MOUNTS}/**.tox r, owner @{HOME}/ r, owner @{user_cache_dirs}/qTox/ rw, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 376a23a4..c33b3cd1 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -24,9 +24,9 @@ profile resize2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index fbd72393..81d787ed 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -19,8 +19,8 @@ profile s3fs @{exec_path} { network inet6 stream, network netlink raw, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, @{exec_path} mr, @@ -31,8 +31,8 @@ profile s3fs @{exec_path} { owner @{HOME}/.passwd-s3fs r, + owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/*/ r, owner /tmp/* rw, /dev/fuse rw, @@ -50,14 +50,14 @@ profile s3fs @{exec_path} { /etc/fuse.conf r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner /tmp/s3fstmp.* rw, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 60224b6c..75622a31 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -24,9 +24,9 @@ profile sfdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index f9241e8b..d844317f 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -24,13 +24,13 @@ profile sgdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 78d88b51..7c223bed 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,7 +6,7 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ +@{MEDIA_LIB} = @{MOUNTS}/mp3/ @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 7e462e94..45a13c29 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,7 +6,7 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ +@{MEDIA_LIB} = @{MOUNTS}/mp3/ @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 50f7f5de..120be844 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -29,9 +29,9 @@ profile tune2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} rw, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index d2019666..74304f9a 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -35,7 +35,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={ReleaseName,GetConnectionUnixUser}, + member={ReleaseName,GetConnectionUnixUser,RequestName}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager @@ -71,26 +71,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/systemd-escape rPx, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow unmounting + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, umount /media/cdrom[0-9]/, # Be able to create/delete dirs for removable media + @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - @{MOUNTS}/*/*/ rw, /media/cdrom[0-9]/ rw, # Udisks2 config files diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index b2c1583c..416a527c 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -73,11 +73,10 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # For disk images @{MOUNTS}/ r, - @{MOUNTS}/*/ r, @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, # System VM images /var/lib/libvirt/images/{,**} rw, @@ -86,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, + owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 4c6f55e1..7dd32b0e 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -9,8 +9,14 @@ # Universally unique identifier @{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* -# Common mountpoints -@{MOUNTS}=/media/ @{run}/media /mnt + +# @{MOUNTDIRS} is a space-separated list of where user mount directories +# are stored, for programs that must enumerate all mount directories on a +# system. +@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/ + +# @{MOUNTS} is a space-separated list of all user mounted directories. +@{MOUNTS}=@{MOUNTDIRS}/*/ # Libexec path. Different in some distribution @{libexec}=/{usr/,}lib # Archlinux