From 8dca20c5c6ac8a9c1ea7e0d92da0797573ac5fd9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Feb 2023 22:37:33 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/freedesktop/pipewire | 2 + apparmor.d/groups/network/mullvad-gui | 4 +- apparmor.d/profiles-a-f/findmnt | 2 + apparmor.d/profiles-g-l/git | 2 +- apparmor.d/profiles-m-r/pass | 8 +-- apparmor.d/profiles-m-r/pass-import | 4 +- apparmor.d/profiles-m-r/rpi-imager | 90 +++++++++----------------- apparmor.d/profiles-s-z/snapd | 6 +- 8 files changed, 48 insertions(+), 70 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 4c53aa8a..e58d58b2 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -76,6 +76,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/device:*/**/path r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, /dev/media[0-9]* rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 7f1f122c..caf516f7 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -43,6 +43,8 @@ profile mullvad-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/libva.conf r, + /etc/igfx_user_feature{,_next}.txt w, + /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, @@ -53,7 +55,7 @@ profile mullvad-gui @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config,resource,irq} r, @{PROC}/ r, @{PROC}/sys/fs/inotify/max_user_watches r, diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 3180ef65..0cd743ae 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 712a5ab5..6d4ec966 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -89,7 +89,7 @@ profile git @{exec_path} { owner /tmp/** rwkl -> /tmp/**, owner /tmp/**/bin/* rCx -> exec, - owner @{HOME}/.gitconfig* r, + owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 2226bb04..dc2ee985 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -55,7 +55,7 @@ profile pass @{exec_path} { /usr/share/terminfo/x/xterm-256color r, - owner @{HOME}/.password-store/{,**} rw, + owner @{user_password_store_dirs}/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/*-store/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @@ -83,7 +83,7 @@ profile pass @{exec_path} { owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.viminfo{,.tmp} rw, - owner @{HOME}/.password-store/ r, + owner @{user_password_store_dirs}/ r, owner @{user_projects_dirs}/**/*-store/ r, owner @{user_config_dirs}/*-store/ r, @@ -116,8 +116,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{HOME}/.password-store/ rw, - owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 76b653e5..6ed9aea1 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -32,9 +32,9 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, - owner @{HOME}/.password-store/{,**} rw, + owner @{user_password_store_dirs}/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw, - owner @{user_config_dirs}/password-store/{,**} rw, + owner @{user_config_dirs}/*-store/{,**} rw, owner /tmp/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 417d6ecc..fd6fecce 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,22 +10,25 @@ include @{exec_path} = /{usr/,}bin/rpi-imager profile rpi-imager @{exec_path} { include - include - include - include - include + include + include include include - include - include - include + include + include + include + include include + include + include + include include + include include - include + include #capability sys_admin, - deny capability sys_nice, + # deny capability sys_nice, network inet dgram, network inet6 dgram, @@ -35,70 +39,38 @@ profile rpi-imager @{exec_path} { @{exec_path} mr, - /usr/bin/lsblk rCx -> lsblk, + /{usr/,}bin/lsblk rPx, - # When rpi-imager is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Rpi-imager works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, - - owner "@{user_config_dirs}/Raspberry Pi/" rw, - owner "@{user_config_dirs}/Raspberry Pi/Imager.conf" rw, - owner "@{user_config_dirs}/Raspberry Pi/Imager.conf.lock" rwk, - - owner "@{user_cache_dirs}/Raspberry Pi/" rw, - owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, + /etc/fstab r, + /etc/X11/cursors/*.theme r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, - - owner @{user_config_dirs}/QtProject.conf r, + /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner "@{user_cache_dirs}/Raspberry Pi/" rw, + owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", + owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/ rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_config_dirs}/QtProject.conf r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /etc/X11/cursors/*.theme r, - /dev/disk/by-label/ r, - - profile lsblk { - include - include - include - - /usr/bin/lsblk mr, - - @{PROC}/swaps r, - owner @{PROC}/@{pid}/mountinfo r, - - # file_inherit - /dev/dri/card[0-9]* rw, - - } + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 8b8e7193..232168d3 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -122,9 +122,9 @@ profile snapd @{exec_path} { owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/snapd-session-agent.socket rw, - owner @{run}/user/snap.*/{,**} rw, + @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snapd-session-agent.socket rw, + @{run}/user/snap.*/{,**} rw, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw,