feat(profiles): general update.

2024-11-15 07:54:17 +01:00 · 2022-09-11 20:45:14 +01:00 · 2022-09-11 20:45:14 +01:00 · 8ff5ed7a69
commit 8ff5ed7a69
parent 8fb8e7ced3
16 changed files with 68 additions and 25 deletions
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -19,6 +19,3 @@

  ptrace (readby) peer=systemd-coredump,

-  # Allow to write a user defined fifo log devices
-  owner /dev/log-xsession w,
-  owner /dev/log-gnupg w,
--- a/apparmor.d/abstractions/dbus-gtk
+++ b/apparmor.d/abstractions/dbus-gtk
@ -44,3 +44,6 @@
       interface=org.a11y.atspi.DeviceEventController
       member={GetKeystrokeListeners,GetDeviceEventListeners}
       peer=(name=org.a11y.atspi.Registry),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-gtk.d>
--- a/apparmor.d/abstractions/systemd-common
+++ b/apparmor.d/abstractions/systemd-common
@ -1,18 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

  ptrace (read),

-  owner @{PROC}/@{pid}/stat r,
+        @{PROC}/1/cgroup r,
        @{PROC}/1/environ r,
        @{PROC}/1/sched r,
-        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/stat r,

  /dev/kmsg w,

--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,
@ -10,8 +11,4 @@
  owner @{user_download_dirs}/ r,
  owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,

-  # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
-        @{HOME}/mount-sshfs/ r,
-        @{HOME}/mount-sshfs/** rwl,
-
  include if exists <abstractions/user-download-strict.d>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -88,7 +88,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
  owner @{user_cache_dirs}/thumbnails/{,**} rw,
  owner @{user_config_dirs}/gnome-control-center/{,**} rw,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
  owner @{user_config_dirs}/mimeapps.list.* rw,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -16,15 +16,36 @@ profile aurpublish @{exec_path} {

  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/cat         rix,
+  /{usr/,}bin/chmod       rix,
+  /{usr/,}bin/date        rix,
+  /{usr/,}bin/gettext     rix,
  /{usr/,}bin/git         rPx,
-  /{usr/,}bin/makepkg     rUx,
+  /{usr/,}bin/gpg         rPUx,
+  /{usr/,}bin/grep        rix,
+  /{usr/,}bin/makepkg     rix,
+  /{usr/,}bin/mkdir       rix,
+  /{usr/,}bin/mktemp      rix,
+  /{usr/,}bin/nproc       rix,
  /{usr/,}bin/rm          rix,
+  /{usr/,}bin/sha512sum   rix,
  /{usr/,}bin/wc          rix,

+  /usr/share/makepkg/{,**} r,
+
+  /etc/makepkg.conf r,
+
+  owner @{user_build_dirs}/**/ w,
  owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
  owner @{user_projects_dirs}/**/.SRCINFO rw,
  owner @{user_projects_dirs}/**/PKGBUILD r,

+  owner @{user_cache_dirs}/makepkg/src/* r,
+  owner @{user_config_dirs}/pacman/makepkg.conf r,
+
+  owner /tmp/tmp.* rw,
+
+  owner @{PROC}/@{pid}/maps r,
+
  /dev/tty rw,

  include if exists <local/aurpublish>
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@ -24,8 +24,13 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/find         rix,
  /{usr/,}bin/gawk         rix,
  /{usr/,}bin/locate       rix,
+  /{usr/,}bin/pacman       rix,
  /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/pacsort      rix,
+  /{usr/,}bin/rm           rix,
+  /{usr/,}bin/sed          rix,
  /{usr/,}bin/tput         rix,
+  /{usr/,}bin/vim          rix,

  # packages files
  / r,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -19,7 +19,9 @@ profile apport-gtk @{exec_path} {
  include <abstractions/python>
  include <abstractions/ssl_certs>

+  capability fowner,
  capability sys_ptrace,
+  capability syslog,

  network inet stream,
  network inet6 stream,
@ -28,26 +30,28 @@ profile apport-gtk @{exec_path} {

  @{exec_path} mr,

+  @{libexec}/colord-sane            rPx,
  /{usr/,}{s,}bin/killall5          rix,
  /{usr/,}bin/{,ba,da}sh            rix,
  /{usr/,}bin/{f,}grep              rix,
-  /{usr/,}bin/cut                   rix,
-  /{usr/,}bin/ischroot              rix,
-  /{usr/,}bin/ldd                   rix,
-  /{usr/,}bin/md5sum                rix,
-  /{usr/,}bin/which{,.debianutils}  rix,
-  /{usr/,}lib/@{multiarch}/ld*.so*  rix,
-  /{usr/,}bin/dpkg-query            rpx,
-  /{usr/,}bin/pkexec                rPx, # TODO: rCx or something
  /{usr/,}bin/apt-cache             rPx,
+  /{usr/,}bin/cut                   rix,
  /{usr/,}bin/dpkg                  rPx,
  /{usr/,}bin/dpkg-divert           rPx,
+  /{usr/,}bin/dpkg-query            rpx,
  /{usr/,}bin/gdb                   rCx -> gdb,
  /{usr/,}bin/gsettings             rPx,
+  /{usr/,}bin/ischroot              rix,
  /{usr/,}bin/journalctl            rPx,
  /{usr/,}bin/kmod                  rPx,
+  /{usr/,}bin/ldd                   rix,
  /{usr/,}bin/lsb_release           rPx -> lsb_release,
+  /{usr/,}bin/md5sum                rix,
+  /{usr/,}bin/pkexec                rPx, # TODO: rCx or something
  /{usr/,}bin/systemctl             rPx -> child-systemctl,
+  /{usr/,}bin/which{,.debianutils}  rix,
+  /{usr/,}lib/@{multiarch}/ld*.so*  rix,
+  /usr/share/apport/root_info_wrapper rix,

  /usr/share/alsa/{,**} r,
  /usr/share/apport/{,**} r,
@ -68,11 +72,13 @@ profile apport-gtk @{exec_path} {
  /var/crash/{,*.@{uid}.crash} rw,
  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
+  /var/lib/usbutils/*.ids r,
  /var/lib/dpkg/info/*.md5sums r,
  /var/log/installer/media-info r,

        @{run}/snapd.socket rw,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,
+  owner @{run}/user/.mutter-Xwaylandauth.* rw,

  /tmp/[a-z0-9]* rw,
  /tmp/apport_core_* rw,
@ -99,6 +105,8 @@ profile apport-gtk @{exec_path} {
    /{usr/,}bin/iconv rix,
    /{usr/,}{s,}bin/* r,

+    /usr/share/gcc/python/**/__pycache__/{,**} rw,
+
    /usr/share/gdb/{,**} r,
    /usr/share/themes/{,**} r,
    /usr/share/gnome-shell/{,**} r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -130,6 +130,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /usr/share/mime/mime.cache r,
  /usr/share/qemu/{,**} r,

+  /etc/apparmor.d/libvirt/libvirt-@{uuid} r,
  /etc/libvirt/{,**} rw,
  /etc/mdevctl.d/{,**} r,
  /etc/xml/catalog r,
--- a/apparmor.d/profiles-a-f/amarok
+++ b/apparmor.d/profiles-a-f/amarok
@ -107,7 +107,7 @@ profile amarok @{exec_path} {
  owner @{HOME}/.kde{,4}/share/apps/amarok/ rw,
  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw,
  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw,
-  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw,
+  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@@{hex} rw,
  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw,
  owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw,

--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@ -7,10 +7,12 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/findmnt
-profile findmnt @{exec_path} flags=(complain) {
+profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_read_search,
+
  @{exec_path} mr,

  /etc/fstab r,
@ -18,5 +20,7 @@ profile findmnt @{exec_path} flags=(complain) {
  
  @{PROC}/@{pids}/mountinfo r,

+  deny /apparmor/.null rw,
+
  include if exists <local/findmnt>
 }
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -65,6 +65,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {

  @{exec_path} mr,

+  /{usr/,}lib/fwupd/fwupd-detect-cet rix,
+
  /{usr/,}bin/gpg         rCx -> gpg,
  /{usr/,}bin/gpgconf     rCx -> gpg,
  /{usr/,}bin/gpgsm       rCx -> gpg,
--- a/apparmor.d/profiles-m-r/plocate-build
+++ b/apparmor.d/profiles-m-r/plocate-build
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}sbin/plocate-build
+@{exec_path} = /{usr/,}{s,}bin/plocate-build
 profile plocate-build @{exec_path} {
  include <abstractions/base>

--- a/apparmor.d/profiles-s-z/sddm-greeter
+++ b/apparmor.d/profiles-s-z/sddm-greeter
@ -58,9 +58,9 @@ profile sddm-greeter @{exec_path} {

  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],

  owner @{user_config_dirs}/qt5ct/{,**} r,
  /usr/share/qt5ct/** r,
--- a/apparmor.d/profiles-s-z/sddm-xsession
+++ b/apparmor.d/profiles-s-z/sddm-xsession
@ -121,7 +121,7 @@ profile sddm-xsession @{exec_path} {
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{hex}-@{hex}-@{hex}@{hex} r,

    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -105,6 +105,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/{,**} r,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,

  @{run}/host/usr/bin/ldconfig rix,
  @{run}/host/usr/lib{,32,64}/**.so* rm,
@ -141,6 +143,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/Steam/ r,
  owner @{user_share_dirs}/Steam/* r,
  owner @{user_share_dirs}/Steam/*log* rw,
+  owner @{user_share_dirs}/Steam/config/config.vdf* rw,
+  owner @{user_share_dirs}/Steam/logs/{,*} rw,
  owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
  owner @{user_share_dirs}/Steam/steamapps/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/ r,