From 7c24dde0281ca2f49cbaeae67f0b075a2b19f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Sep 2023 19:15:01 +0100 Subject: [PATCH] feat(profile): rewrite profile for vscode (wip). --- apparmor.d/profiles-a-f/code | 91 +++++++++++++++++++++++++++--------- apparmor.d/profiles-g-l/git | 4 ++ dists/flags/main.flags | 1 + 3 files changed, 73 insertions(+), 23 deletions(-) diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 52177aa3..a3d65766 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -1,14 +1,16 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{bin}/code /usr/share/code/{bin/,}code -profile code @{exec_path} { +@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} + +@{exec_path} = @{lib}/electron@{int}/electron +profile code flags=(attach_disconnected) { include include include @@ -17,36 +19,58 @@ profile code @{exec_path} { include include include - include + include + include + include include + include - # ptrace (read) peer=lsb_release, + capability sys_ptrace, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal (send), @{exec_path} mrix, - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, + @{lib}/code/node_modules.asar.unpacked/**.node rm, + + # Core tools + @{bin}/git rPx, + @{bin}/rg rix, + @{bin}/gpg{,2} rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/gio rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + @{bin}/xdg-open rPx -> child-open, # The shell is not confined on purpose. @{bin}/{,b,d,rb}ash rUx, @{bin}/{c,k,tc,z}sh rUx, - @{bin}/git rPx, - @{bin}/gpg{,2} rPUx, - @{bin}/lsb_release rPx -> lsb_release, + # Confine some common tools + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, - # /usr/share/code/** r, - # /usr/share/code/libffmpeg.so mr, - # /usr/share/code/resources/**/bin/* rix, - # /usr/share/code/resources/**.node mr, + # Do NOT confine most of the extensions + @{bin}/[a-z0-9]* rPUx, + @{code_config_dirs}/extensions/** rPUx, + @{HOME}/.go/bin/* rPUx, + @{lib}/go/bin/* rPUx, + @{bin}/python[0-9]* rUx - /var/lib/dbus/machine-id r, - /etc/machine-id r, + /etc/libva.conf r, + /etc/shells r, + /etc/lsb-release r, - owner @{user_config_dirs}/Code/ rw, - owner @{user_config_dirs}/Code/** rwkl -> {HOME}/.config/Code/**, - owner @{HOME}/.vscode/ rw, - owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + + owner @{code_config_dirs}/ rw, + owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**, owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, @@ -56,14 +80,35 @@ profile code @{exec_path} { owner /tmp/vscode-ipc-@{uuid}.sock rw, owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw, + owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, + owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw, + + @{run}/systemd/inhibit/*.ref rw, + + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/pci[0-9]*/**/irq r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/loadavg r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm w, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 5a2ef07b..4b628a54 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -7,6 +7,8 @@ abi , include +@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} + @{exec_path} = @{bin}/git @{exec_path} += @{bin}/git-* @{exec_path} += @{lib}/git-core/git @@ -104,6 +106,8 @@ profile git @{exec_path} { owner /tmp/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, + deny /dev/shm/.org.chromium.Chromium* rw, + deny owner @{code_config_dirs}/** rw, profile gpg { include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3d16b393..6b2568f1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -48,6 +48,7 @@ cockpit-ssh complain cockpit-tls complain cockpit-ws complain cockpit-wsinstance-factory complain +code complain containerd-shim-runc-v2 attach_disconnected,complain ctop complain cups-backend-beh complain