diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 4c13e555..12eea120 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,12 +4,22 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} + member={GetAll,PropertiesChanged},Set + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,Set} + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1.Interface + member=CreateInterface peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={Disconnect,RemoveNetwork,Scan} + member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} @@ -17,25 +27,24 @@ member=Cancel peer=(name=:*, label=wpa-supplicant), - # Unconfined for now, don't know the label yet. - # dbus send bus=system path=/org/freedesktop - # interface=org.freedesktop.DBus.ObjectManager - # member=InterfacesRemoved - # peer=(name=:*, label=unconfined), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={BSSAdded,BSSRemoved,NetworkRemoved,ScanDone,PropertiesChanged} + member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 0edc53cc..75ee94bf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index e9add589..f6fbb547 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -5,66 +5,66 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 8465f64c..956356c5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -5,51 +5,51 @@ dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/** interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 372fce27..93c1aefb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -10,7 +10,7 @@ dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -21,14 +21,19 @@ member=GetDisplayDevice peer=(name=org.freedesktop.UPower, label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index d11829d8..67d24772 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -10,7 +10,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager @@ -20,12 +20,12 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9d1a2884..f5291bb1 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -21,6 +21,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, + @{bin}/kbuildsycoca5 rPx, @{bin}/mv rix, @{bin}/readlink rix, @{bin}/realpath rix, diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca5 new file mode 100644 index 00000000..8173be58 --- /dev/null +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kbuildsycoca5 +profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /usr/share/applications/kde-mimeapps.list r, + /usr/share/mime/mime.cache r, + /usr/share/mime/types r, + /var/lib/flatpak/exports/share/mime/types r, + + owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca5_* rw, + owner @{user_config_dirs}/mimeapps.list r, + owner @{user_share_dirs}/applications/mimeapps.list r, + owner @{user_share_dirs}/mime/types r, + + /dev/tty r, + + include if exists +} diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f50ced75..9e1cf1a1 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -44,9 +44,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{exec_path} mr, - @{lib}/libheif/{,**} mr, - - @{bin}/dolphin rPUx, + @{lib}/libheif/ r, + @{lib}/libheif/{,**} mr, + @{lib}/kf5/kioslave5 rPx, + @{lib}/kf5/kdesu{,d} rix, + @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b02f3f5b..393f1cf4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -10,6 +10,7 @@ include @{exec_path} = /etc/sddm/Xsession profile sddm-xsession @{exec_path} { include + include include include include @@ -25,14 +26,17 @@ profile sddm-xsession @{exec_path} { @{bin}/csh rix, @{bin}/date rix, @{bin}/fish rix, - @{bin}/id rix, + @{bin}/gettext.sh r, @{bin}/gpgconf rCx -> gpg, + @{bin}/id rix, + @{bin}/locale rix, + @{bin}/locale-check rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/mv rix, - @{bin}/locale-check rPx, - @{bin}/mktemp rix, - @{bin}/rm rix, @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @@ -57,12 +61,18 @@ profile sddm-xsession @{exec_path} { /etc/default/{,*} r, /etc/X11/{,**} r, - owner @{HOME}/.xsession-errors w, + owner @{HOME}/.xinputrc r, + owner @{HOME}/.xsession-errors rw, + @{HOME}/tmp.* rw, + + @{system_share_dirs}/im-config/data/{,*} r, + @{system_share_dirs}/im-config/xinputrc.common owner @{user_share_dirs}/sddm/xorg-session.log w, owner /tmp/xsess-env-* rw, owner /tmp/file* rw, + owner /tmp/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 6a95d46c..4d26e0a5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,6 +11,7 @@ profile startplasma @{exec_path} { include include include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, @@ -20,12 +21,17 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/env rix, + @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, + @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/knotifications{5,6}/{,**} r, @@ -33,10 +39,16 @@ profile startplasma @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, + /etc/locale.alias r, /etc/machine-id r, /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, - /etc/xdg/plasma-workspace/env/{,**} r, + /etc/xdg/plasma-workspace/env/{,*} r, + + /var/lib/flatpak/exports/share/mime/ r, + + @{HOME}/ r, + @{HOME}/.xsession-errors w, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, @@ -69,7 +81,9 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/maps r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index d1d068ae..e83223f1 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -22,12 +22,18 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), + @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chronyc rPUx, + @{bin}/chown rix, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @@ -52,15 +58,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /etc/NetworkManager/dispatcher.d/** rix, /etc/dhcp/dhclient-exit-hooks.d/ntp r, + # chown + / r, + /usr/share/tlp/{,**} rw, /etc/sysconfig/network/config r, /etc/fstab r, - @{run}/systemd/notify rw, - @{run}/tlp/{,*} rw, - @{run}/chrony-dhcp/ rw, - @{run}/ntp.conf.dhcp rw, + @{run}/chrony-dhcp/ rw, + @{run}/ntp.conf.dhcp rw, + @{run}/systemd/netif/leases/ r, + @{run}/systemd/notify rw, + @{run}/tlp/{,*} rw, + owner @{run}/ntp.conf.dhcp.@{rand6} rw, + owner /etc/ntp.conf r, @{sys}/class/net/ r, @@ -85,8 +97,11 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include + @{bin}/invoke-rc.d rm, @{sh_path} rix, + @{bin}/basename rix, @{bin}/ls rix, + # This doesn't seem to work, profile transition not found. @{bin}/systemctl rCx -> systemctl, / r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 5c9ced99..83f1ac55 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -67,6 +67,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { /etc/ r, @{etc_ro}/logrotate.conf rk, @{etc_ro}/logrotate.d/ r, + @{etc_ro}/rc*.d/ r, @{etc_ro}/logrotate.d/* rk, / r, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index b627eb46..ea16957a 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -20,6 +20,10 @@ profile usbguard @{exec_path} { # Needed to create policy (usbguard generate-policy) network netlink dgram, + unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}), + + # dbus: own bus=system name=org.usbguard1 + @{exec_path} mr, /etc/usbguard/*.conf rw,