From 7a53fc3a99399c56c50c2761124a08153b0e0a08 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 18 Sep 2024 18:10:27 +0100 Subject: [PATCH] feat(profile): general updtae. --- apparmor.d/abstractions/app/sudo | 1 - apparmor.d/abstractions/gstreamer | 7 +- apparmor.d/abstractions/vulkan-strict | 1 - apparmor.d/groups/browsers/torbrowser-start | 2 + apparmor.d/groups/bus/at-spi2-registryd | 20 +---- .../groups/freedesktop/xdg-desktop-portal | 20 ++--- .../freedesktop/xdg-desktop-portal-gnome | 32 +------- apparmor.d/groups/freedesktop/xdg-user-dir | 3 +- apparmor.d/groups/gpg/gpg-agent | 1 + apparmor.d/groups/gpg/scdaemon | 6 +- apparmor.d/groups/network/NetworkManager | 3 +- apparmor.d/groups/pacman/makepkg | 5 +- apparmor.d/groups/pacman/yay | 2 + apparmor.d/groups/systemd/systemd-udevd | 2 - apparmor.d/groups/virt/cni-xtables-nft | 36 --------- apparmor.d/groups/virt/cockpit-bridge | 27 ++++++- apparmor.d/groups/virt/cockpit-update-motd | 2 - apparmor.d/groups/virt/xtables | 43 +++++++++++ apparmor.d/profiles-a-f/aa-log | 2 - apparmor.d/profiles-a-f/convertall | 23 ++---- apparmor.d/profiles-m-r/pass | 76 +++++++++---------- .../signal-desktop-chrome-sandbox | 4 +- .../spice-client-glib-usb-acl-helper | 1 - apparmor.d/profiles-s-z/switcherooctl | 2 +- apparmor.d/profiles-s-z/tomb | 3 +- apparmor.d/profiles-s-z/udisksd | 7 +- apparmor.d/profiles-s-z/wpa-gui | 11 +-- 27 files changed, 158 insertions(+), 184 deletions(-) delete mode 100644 apparmor.d/groups/virt/cni-xtables-nft create mode 100644 apparmor.d/groups/virt/xtables diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index fdd34858..3fa45435 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -57,7 +57,6 @@ @{PROC}/@{pid}/limits r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/kernel/ngroups_max r, @{PROC}/sys/kernel/seccomp/actions_avail r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 60bac614..4a5deb7c 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -45,7 +45,12 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r, + @{sys}/devices/@{pci}/busnum r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/@{pci}/descriptors r, + @{sys}/devices/@{pci}/devnum r, + @{sys}/devices/@{pci}/speed r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index fd86f1e8..5210a48e 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -29,5 +29,4 @@ include if exists - # vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 8292f613..e7072c85 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -42,6 +42,8 @@ profile torbrowser-start @{exec_path} { owner @{lib_dirs}/sed@{rand6} rw, owner @{lib_dirs}/TorBrowser/Tor/tor r, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw, owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw, owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 2b0ac047..46b404f2 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -17,24 +17,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, - #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=:*), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + #aa:dbus own bus=accessibility name=org.a11y.atspi + #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5d908e67..d8929cfb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -20,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -34,19 +35,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=MakeThread* peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions - peer=(name=:*, label=NetworkManager), - #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=xdg-document-portal), - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - peer=(name=:*, label=xdg-document-portal), + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -62,10 +53,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/nautilus rPx, - @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{bin}/kreadconfig{,5} rPx, + @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, / r, @@ -76,7 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /etc/sysconfig/proxy r, - /var/lib/gdm{,3}/greeter-dconf-defaults r, + @{GDM_HOME}/greeter-dconf-defaults r, @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 588d4d39..586828ee 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -13,7 +13,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,39 +29,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { signal (receive) set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome - - dbus send bus=session path=/org/gnome/Shell/Screenshot - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=RunningApplicationsChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=GetAppState - peer=(name=:*, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus (send, receive) bus=session path=/org/gnome/Mutter/* - interface=org.gnome.Mutter.* - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gnome/Mutter/* - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell @{exec_path} mr, / r, @{bin}/ r, @{bin}/* r, + /opt/*/* r, /usr/share/dconf/profile/gdm r, /usr/share/thumbnailers/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index 47184420..7fcf6f3e 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, @@ -18,8 +19,6 @@ profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.dirs r, - /dev/tty rw, - # Silencer deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 3d240828..b7e00a45 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -62,6 +62,7 @@ profile gpg-agent @{exec_path} { #aa:only pacman owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/*.conf r, owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 92be0bdc..2160cbea 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -19,12 +19,16 @@ profile scdaemon @{exec_path} { @{exec_path} mr, + #aa:only pacman + owner /etc/pacman.d/gnupg/scdaemon.conf r, + owner /etc/pacman.d/gnupg/S.scdaemon rw, + owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, owner @{HOME}/@{XDG_GPG_DIR}common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner /var/tmp/zypp.*/PublicKey/S.scdaemon w, owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 7f9b5adf..50614a60 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -90,9 +90,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + /usr/share/netplan/netplan.script rPx, - /usr/share/netplan/netplan.script rPx, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, + /usr/share/iproute2/{,**} r, / r, /etc/ r, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 5ac44681..4ccb1088 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,7 +11,7 @@ profile makepkg @{exec_path} { include include - signal send set=winch peer=pacman, + signal send set=winch peer=pacman, signal send set=winch peer=pacman//systemctl, network inet stream, @@ -48,7 +48,10 @@ profile makepkg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{user_cache_dirs}/makepkg/src/*.asc r, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 8f280462..8f3dede7 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -67,6 +67,8 @@ profile yay @{exec_path} { include include + owner @{HOME}/**/ r, # For pwd + owner @{user_cache_dirs}/yay/*/** rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 5c170920..612fda9e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -123,8 +123,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { # / r, - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft deleted file mode 100644 index d19f875b..00000000 --- a/apparmor.d/groups/virt/cni-xtables-nft +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xtables-nft-multi -profile cni-xtables-nft { - include - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - @{bin}/xtables-legacy-multi mr, - - /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, - - @{PROC}/@{pids}/net/ip_tables_names r, -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index a2b77349..1ae8c710 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -26,11 +26,11 @@ profile cockpit-bridge @{exec_path} { ptrace read, + signal send set=term peer=cockpit-bridge//sudo, signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, signal send set=term peer=ssh-agent, - signal send set=term peer=sudo, signal send set=term peer=unconfined, @{exec_path} mr, @@ -41,24 +41,30 @@ profile cockpit-bridge @{exec_path} { @{bin}/ip ix, @{bin}/python3.@{int} ix, @{bin}/test ix, + @{bin}/file ix, + @{bin}/chage Px, + @{bin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, + @{bin}/last Px, @{bin}/lastlog Px, + @{bin}/lscpu Px, @{bin}/passwd Px, @{bin}/ssh-agent Px, - @{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix? + @{bin}/sudo Cx -> sudo, @{bin}/udevadm Cx -> udevadm, + @{bin}/virsh rPUx, @{bin}/virt-install PUx, # TODO: rPx @{lib}/cockpit/cockpit-pcp Px, @{lib}/cockpit/cockpit-ssh Px, - @{bin}/virsh rPUx, # The shell is not confined on purpose. @{bin}/@{shells} Ux, /usr/{,local/}share/ r, /usr/share/cockpit/{,**} r, + /usr/share/file/** r, /usr/share/iproute2/* r, /etc/cockpit/{,**} r, @@ -70,7 +76,8 @@ profile cockpit-bridge @{exec_path} { /etc/shadow r, /etc/shells r, - / r, + / r, + @{HOME}/ r, owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, owner @{user_share_dirs}/ r, @@ -103,6 +110,18 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, + profile sudo { + include + include + + signal (send receive) set=term peer=cockpit-bridge, + + @{bin}/cockpit-bridge Px, + @{lib}/cockpit/cockpit-askpass Px, + + include if exists + } + profile udevadm { include include diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index eaf340c6..cf4bf5bb 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} { capability net_admin, capability sys_ptrace, - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables new file mode 100644 index 00000000..82eb1a73 --- /dev/null +++ b/apparmor.d/groups/virt/xtables @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +profile xtables { + include + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/iproute2/{,**} r, + + /etc/iproute2/{,**} r, + /etc/iptables/{,**} rw, + /etc/libnl/classid r, + /etc/nftables.conf rw, + + @{run}/xtables.lock rwk, + + @{PROC}/@{pids}/net/ip_tables_names r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 74fbebcb..bfd0b457 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -27,8 +27,6 @@ profile aa-log @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, - @{PROC}/sys/kernel/cap_last_cap r, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 28a39347..f3ce650e 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -10,35 +10,28 @@ include @{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py profile convertall @{exec_path} { include - include - include - include + include include - include - include - include - include - include - include + include include + include + include @{exec_path} r, @{sh_path} rix, @{bin}/python3.@{int} rix, - owner @{HOME}/.convertall rw, - - deny owner @{PROC}/@{pid}/cmdline r, - /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, - /usr/share/hwdata/pnp.ids r, - /var/lib/dbus/machine-id r, /etc/machine-id r, + owner @{HOME}/.convertall rw, + + deny owner @{PROC}/@{pid}/cmdline r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 3796dfbc..b3c963dd 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -15,47 +15,47 @@ profile pass @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/diff rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/getopt rix, - @{bin}/grep rix, - @{bin}/head rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/shred rix, - @{bin}/sleep rix, - @{bin}/sort rix, - @{bin}/tail rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, + @{bin}/base64 ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/diff ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/find ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/rmdir ix, + @{bin}/sed ix, + @{bin}/shred ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/tail ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/tree ix, + @{bin}/tty ix, + @{bin}/which ix, - @{bin}/git rCx -> git, - @{bin}/gpg{2,} rCx -> gpg, - @{bin}/pkill rCx -> pkill, - @{bin}/qdbus rCx -> qdbus, - @{editor_path} rCx -> editor, - @{lib}/git{,-core}/git rCx -> git, - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, + @{bin}/git Cx -> git, + @{bin}/gpg{2,} Cx -> gpg, + @{bin}/pkill Cx -> pkill, + @{bin}/qdbus Cx -> qdbus, + @{bin}/wl-{copy,paste} Px, + @{bin}/xclip Px, + @{editor_path} Cx -> editor, + @{lib}/git{,-core}/git Cx -> git, # Pass extensions - @{bin}/oathtool rix, # pass-otp - @{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit - @{bin}/qrencode rPUx, # pass-otp - @{bin}/tomb rPUx, # pass-tomb + @{bin}/oathtool ix, # pass-otp + @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{bin}/qrencode PUx, # pass-otp + @{bin}/tomb PUx, # pass-tomb /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index a5f4a7ef..0dc19e1a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -7,8 +7,10 @@ abi , include +@{name} = signal-desktop{,-beta} @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} +@{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/chrome-sandbox profile signal-desktop-chrome-sandbox @{exec_path} { @@ -19,7 +21,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{exec_path} mr, - @{lib_dirs}/signal-desktop{,-beta} rPx, + @{lib_dirs}/@{name} rPx, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/oom_adj w, diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 87afa46e..aae60639 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -17,7 +17,6 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, - @{PROC}/sys/kernel/cap_last_cap r, owner @{PROC}/@{pid}/stat r, include if exists diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 9979c924..1e9d5098 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} { include include - #aa:dbus own bus=system name=net.hadess.SwitcherooControl + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 44a34595..cc540ae9 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -115,9 +115,10 @@ profile tomb @{exec_path} { include include + capability dac_read_search, capability sys_admin, - umount @{MOUNTS}/{,*/}, + umount @{MOUNTS}/{,**/}, @{bin}/umount mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 6f74c826..b835be9e 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -11,8 +11,6 @@ include profile udisksd @{exec_path} flags=(attach_disconnected) { include include - include - include include include @@ -60,9 +58,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom@{int}/, - signal (receive) set=(int) peer=@{p_systemd}, + signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -88,6 +88,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{bin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, + @{bin}/xfs_db rPUx, /etc/crypttab r, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index ceefecbf..3a729a98 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -10,20 +10,13 @@ include @{exec_path} = @{bin}/wpa_gui profile wpa-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw,