From 8b60e56002129063d5692c20b0e43f554f51d943 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 20:13:40 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 3 +++ apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/bus/dbus-system | 6 ++--- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-remote-desktop-daemon | 4 +++ apparmor.d/groups/gnome/gnome-shell | 6 +++-- apparmor.d/groups/gnome/gnome-text-editor | 2 ++ apparmor.d/groups/gvfs/gvfsd-wsdd | 1 + apparmor.d/groups/network/nmcli | 15 +++-------- apparmor.d/groups/pacman/pacman | 10 +++---- apparmor.d/groups/pacman/pacman-key | 3 ++- apparmor.d/groups/ssh/sshd | 5 ++++ apparmor.d/profiles-a-f/borg | 5 ---- .../profiles-g-l/gdk-pixbuf-query-loaders | 2 ++ apparmor.d/profiles-g-l/gpu-manager | 3 +++ apparmor.d/profiles-g-l/hostapd | 27 ------------------- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/spotify | 5 +++- apparmor.d/profiles-s-z/wsdd | 24 +++++++++++++++++ dists/flags/main.flags | 1 + 21 files changed, 71 insertions(+), 59 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/hostapd create mode 100644 apparmor.d/profiles-s-z/wsdd diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 9d8d3330..bb478957 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/cat rix, @{bin}/dialog rix, @{bin}/locale rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 9ab8fc69..769b165a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, + unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + @{exec_path} mr, @{bin}/ r, @@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 4df679c9..4d8fc6cd 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, - /usr/share/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index bb37fa90..ac13f478 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/** PUx, - @{lib}/** PUx, - /usr/share/*/** PUx, + @{bin}/** PUx, + @{lib}/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 531a3273..fd2462ff 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, + @{bin}/tecla rix, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 9c7044d0..4fcf39da 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} { @{exec_path} mr, + /usr/share/gnome-remote-desktop/{,**} r, + + owner /var/lib/gnome-remote-desktop//{,**} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dd58dc81..217cc0d5 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + unix receive type=stream, + @{lib}/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - + @{lib}/* PUx, /usr/games/* PUx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index bfd2ed5f..6d40144c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} { @{exec_path} mr, + /usr/share/enchant-*/{,**} r, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4c0459cf..d44e12db 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, + @{bin}/env r, @{bin}/wsdd rPx, @{run}/mount/utab r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 71fe1dcb..c3ae732b 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -15,7 +15,9 @@ profile nmcli @{exec_path} { @{exec_path} mr, - @{bin}/less rCx -> pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @@ -26,16 +28,5 @@ profile nmcli @{exec_path} { @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, - profile pager { - include - include - - @{bin}/less mr, - - owner @{HOME}/.lesshs* rw, - owner @{user_cache_dirs}/.lesshs* rw, - - } - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e84e8aa5..d9c670d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -117,11 +117,6 @@ profile pacman @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - @{PROC}/ r, - @{run}/ r, - @{sys}/{,**} r, - /mnt r, - # Read packages files @{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -132,13 +127,16 @@ profile pacman @{exec_path} { owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, - + + @{sys}/{,**} r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 5b363b2a..31994b37 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,13 +16,14 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/bash rix, @{bin}/chmod rix, - @{bin}/{m,g,}awk rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/grep rix, + @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, @{bin}/tput rix, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fef44a12..59f2b4eb 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ssh/ssh_host_* r, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, + /var/lib/wtmpdb/ r, + /var/lib/wtmpdb/* rwk, + # For scp owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 739d1847..dffe9087 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -21,11 +21,6 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, - mount fstype=fuse -> @{MOUNTS}/, - mount fstype=fuse -> @{MOUNTS}/*/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - @{exec_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index ad4a8d4c..cce69937 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 7e79f79c..9177b7b3 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} { /var/log/gpu-manager.log w, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/module/compression r, + @{PROC}/modules r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/hostapd b/apparmor.d/profiles-g-l/hostapd deleted file mode 100644 index a57a22a7..00000000 --- a/apparmor.d/profiles-g-l/hostapd +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hostapd -profile hostapd @{exec_path} { - include - include - - capability net_admin, - capability net_raw, - - @{exec_path} mr, - - /dev/rfkill r, - - /etc/hostapd.conf r, - /etc/hostapd/{,*} r, - - @{run}/hostapd/{,**} rw, - @{run}/hostapd.pid rw, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 7228dd88..dfae2999 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,7 +153,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/{,*/} r, + @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ba94636f..e588ffbc 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -41,7 +41,10 @@ profile spotify @{exec_path} { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, @{PROC}/pressure/* r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd new file mode 100644 index 00000000..46a3c40b --- /dev/null +++ b/apparmor.d/profiles-s-z/wsdd @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wsdd +profile wsdd @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/env r, + @{bin}/python3.@{int} rix, + + /etc/machine-id r, + + owner @{run}/user/@{uid}/gvfsd/wsdd w, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 733f75ee..4770b79e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain wg complain wg-quick complain +wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain