diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 858acb47..f2e76bcd 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -37,8 +37,8 @@ owner / r, owner /newroot/{,**} w, - owner @{tmp}/newroot/ w, - owner @{tmp}/oldroot/ w, + owner /tmp/newroot/ w, + owner /tmp/oldroot/ w, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6a99696c..abd90074 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -30,14 +30,21 @@ profile grub-probe @{exec_path} { @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - + /dev/*vg*/ r, /dev/bsg/ r, + /dev/bus/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, /dev/cpu/ r, /dev/cpu/@{int}/ r, + /dev/dma_heap/ r, /dev/dri/ r, /dev/dri/by-path/ r, /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, /dev/mapper/control rw, /dev/mqueue/ r, /dev/shm/ r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index dc9c76a2..05b6b946 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -13,6 +13,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_nice, @@ -30,6 +31,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/python3.@{int} rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chronyc rPUx, diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index fa379675..e61709db 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -18,11 +18,16 @@ profile mousepad @{exec_path} { @{open_path} rPx -> child-open-help, + /usr/share/hunspell/{,**} r, + owner @{user_config_dirs}/Mousepad/ rw, - owner @{user_config_dirs}/Mousepad/{,**} rw, + owner @{user_config_dirs}/Mousepad/** rwk, + + owner @{user_config_dirs}/enchant/ rw, + owner @{user_config_dirs}/enchant/ rwk, owner @{user_share_dirs}/Mousepad/ rw, - owner @{user_share_dirs}/Mousepad/{,**} rw, + owner @{user_share_dirs}/Mousepad/** rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 19bc3559..b1acb5f1 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -27,7 +27,7 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d355c5bf..21cf4e22 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -19,11 +19,13 @@ profile thunar @{exec_path} { @{exec_path} mr, - @{bin}/thunar-volman rPx, - @{open_path} rPx -> child-open, + @{bin}/thunar-volman rPx, + @{bin}/dbus-launch rCx -> dbus, + @{open_path} rPx -> child-open, /usr/share/ r, /usr/share/anon-apps-config/share/{,**} r, #aa:only whonix + /usr/share/gvfs/{,**} r, /usr/share/Thunar/{,**} r, /etc/fstab r, @@ -50,5 +52,14 @@ profile thunar @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, + profile dbus { + include + include + + @{bin}/dbus-launch mr, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index 016da78c..495a559a 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -15,6 +15,13 @@ profile xfce-notifyd @{exec_path} { include include + # TODO: local only + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 2c7e65b6..a4278aa3 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/xfce4-session -profile xfce-session @{exec_path} { +profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include @@ -47,20 +47,22 @@ profile xfce-session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, + owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, /dev/tty rw, - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include include if exists } - profile dbus { + profile dbus flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index 9ca46c73..703fe593 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -22,7 +22,7 @@ profile xfdesktop @{exec_path} { /etc/fstab r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, owner @{user_config_dirs}/Thunar/{,**} rw, owner @{user_config_dirs}/xfce4/desktop/{,**} rw, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c531089c..f27637ae 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -35,7 +35,7 @@ profile qemu-ga @{exec_path} { owner @{run}/qga.state* rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node*/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, owner @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 56f1152e..0132cbe9 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -7,8 +7,6 @@ abi , include -@{ANDROID_SOURCE_DIR} = @{MOUNTS}/Android/ - @{exec_path} = @{bin}/repo profile repo @{exec_path} { include @@ -23,55 +21,44 @@ profile repo @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} rix, - @{bin}/ r, - @{bin}/env rix, - @{sh_path} rix, - @{bin}/uname rix, + @{sh_path} rix, + @{bin}/ r, + @{bin}/curl rix, + @{bin}/env rix, + @{bin}/git rix, + @{bin}/python3.@{int} rix, + @{bin}/uname rix, + @{lib}/git{,-core}/git* rix, - @{bin}/git rix, - @{lib}/git{,-core}/git* rix, - - @{bin}/curl rCx -> curl, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/ssh rPx, - - # Android source dir - owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**, - owner @{ANDROID_SOURCE_DIR}/**/.repo/repo/main.py rix, - - owner @{HOME}/.repoconfig/{,**} rw, - owner @{HOME}/.repo_.gitconfig.json rw, - - owner @{user_config_dirs}/git/config rw, - owner @{HOME}/.gitconfig rw, - owner @{HOME}/.gitconfig.lock rwk, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/ssh rPx, /usr/share/git-core/{,**} r, + # Android source dir + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + owner @{user_projects_dirs}/**/.repo/repo/main.py rix, + + owner @{HOME}/.gitconfig rw, + owner @{HOME}/.gitconfig.lock rwk, + owner @{HOME}/.repo_.gitconfig.json rw, + owner @{HOME}/.repoconfig/{,**} rw, + + owner @{user_config_dirs}/git/config rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, owner @{tmp}/ssh-*/ rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner /dev/shm/* rw, owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*, # unconventional '_' tail + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + # Silencer deny /etc/.repo_gitconfig.json w, - - profile curl { - include - include - include - - @{bin}/curl mr, - - } - profile gpg { include @@ -82,6 +69,7 @@ profile repo @{exec_path} { owner @{tmp}/.git_vtag_tmp@{rand6} r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 68258cae..192f1710 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -1,25 +1,22 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ -# 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only - -# Version of program profiled: 0.13 +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only abi , + include @{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include + include network unix stream, @{exec_path} mr, - owner @{tmp}/mutt-* rw, - owner @{tmp}/xauth_@{rand6} r, - - owner @{HOME}/.Xauthority r, - deny /dev/tty rw, + + include if exists }