diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap new file mode 100644 index 00000000..38567f5c --- /dev/null +++ b/apparmor.d/profiles-s-z/snap @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap +profile snap @{exec_path} { + include + include + include + include + + @{exec_path} mrix, + + /snap/{,**} rw, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd r, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk,# + + owner @{HOME}/snap/{,**} rw, + + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + + @{run}/snapd.socket rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper similarity index 100% rename from apparmor.d/groups/ubuntu/snap-device-helper rename to apparmor.d/profiles-s-z/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns new file mode 100644 index 00000000..31d36f25 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns +profile snap-discard-ns @{exec_path} { + include + + capability setgid, + + @{exec_path} mr, + + / r, + @{run}/ r, + @{run}/snapd/ r, + @{run}/snapd/lock/ r, + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/ r, + @{run}/snapd/ns/* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure new file mode 100644 index 00000000..4f6a5a97 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-failure @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-failure +profile snap-failure @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp new file mode 100644 index 00000000..767c76a4 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp +profile snap-seccomp @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp r, + + /var/lib/snapd/seccomp/bpf/{,**} rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + owner @{PROC}/@{pids}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns new file mode 100644 index 00000000..3e4fd84f --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns +profile snap-update-ns @{exec_path} { + include + + capability sys_admin, + capability sys_chroot, + + @{exec_path} mr, + + /var/lib/snapd/mount/{,*} r, + + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/{,**} rw, + + @{sys}/fs/cgroup/{,**/} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/version r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd new file mode 100644 index 00000000..b7a491c9 --- /dev/null +++ b/apparmor.d/profiles-s-z/snapd @@ -0,0 +1,140 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd +profile snapd @{exec_path} { + include + include + include + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, + umount /tmp/syscheck-mountpoint-[0-9]*/, + umount /snap/*/[0-9]*/, + + ptrace (read) peer=unconfined, + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + + @{exec_path} mr, + + /{usr/,}{s,}bin/apparmor_parser rPx, + /{usr/,}{s,}bin/runuser rCx -> runuser, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mount rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/systemctl rix, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/tar rix, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/umount rix, + /{usr/,}bin/unsquashfs rix, + /{usr/,}bin/update-desktop-database rPx, + + /snap/snapd/[0-9]*/lib/@{multiarch}/** mr, + /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so rix, + /snap/snapd/[0-9]*/usr/bin/snap rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, + /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? + + /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/services/*snap* r, + /usr/share/polkit-1/actions/{,**/} r, + + /etc/dbus-1/system.d/{,**/} r, + /etc/fstab r, + /etc/modprobe.d/{,**/} r, + /etc/modules-load.d/{,**/} r, + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} r, + /etc/systemd/user/snap* rw, + /etc/udev/rules.d/{,*snap*} rw, + + /snap/{,**} rw, + /var/cache/snapd/{,**} rwk, + /var/lib/snapd/{,**} rwk, + /var/snap/{,**} rw, + + /var/cache/apparmor/{,*/} r, + /var/cache/apparmor/*/snap* rw, + + /tmp/ r, + /tmp/syscheck-mountpoint-[0-9]*/{,**} rw, + /tmp/syscheck-squashfs-[0-9]* rw, + /tmp/read-file[0-9]*/{,**} rw, + + owner @{HOME}/ r, + owner @{HOME}/snap/{,**} rw, + + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, + + owner @{run}/user/{,@{uid}/} r, + owner @{run}/user/snap.*/{,**} rw, + + @{run}/snapd-snap.socket rw, + @{run}/snapd.socket rw, + @{run}/snapd/lock/core[0-9]*.lock rwk, + @{run}/systemd/notify rw, + @{run}/systemd/private rw, + + @{sys}/fs/cgroup/{,*/} r, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + @{sys}/kernel/security/apparmor/profiles r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/stat r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + /dev/loop-control rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d4886101..e1c1e42d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -128,7 +128,13 @@ s3fs complain scrcpy complain sftp-server complain slirp4netns attach_disconnected,complain +snap complain snap-device-helper complain +snap-discard-ns complain +snap-failure complain +snap-seccomp complain +snap-update-ns complain +snapd complain spice-vdagent complain spice-vdagentd attach_disconnected,complain splunkforwarder complain