diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 39988d60..21649e8d 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -19,6 +19,3 @@ ptrace (readby) peer=systemd-coredump, - # Allow to write a user defined fifo log devices - owner /dev/log-xsession w, - owner /dev/log-gnupg w, diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk index b4f0b921..817e4fc6 100644 --- a/apparmor.d/abstractions/dbus-gtk +++ b/apparmor.d/abstractions/dbus-gtk @@ -44,3 +44,6 @@ interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} peer=(name=org.a11y.atspi.Registry), + + # Include additions to the abstraction + include if exists diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index 6f6ce8b5..fcbf16eb 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -1,18 +1,19 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , ptrace (read), - owner @{PROC}/@{pid}/stat r, + @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/1/sched r, - @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 0f4d183e..315f81e0 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,8 +11,4 @@ owner @{user_download_dirs}/ r, owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, - # For SSHFS mounts (without owner as files in such mounts can be owned by different users) - @{HOME}/mount-sshfs/ r, - @{HOME}/mount-sshfs/** rwl, - include if exists \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 58aa25a7..c15aca6f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 879199f5..2415744d 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -16,15 +16,36 @@ profile aurpublish @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/git rPx, - /{usr/,}bin/makepkg rUx, + /{usr/,}bin/gpg rPUx, + /{usr/,}bin/grep rix, + /{usr/,}bin/makepkg rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/nproc rix, /{usr/,}bin/rm rix, + /{usr/,}bin/sha512sum rix, /{usr/,}bin/wc rix, + /usr/share/makepkg/{,**} r, + + /etc/makepkg.conf r, + + owner @{user_build_dirs}/**/ w, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/PKGBUILD r, + owner @{user_cache_dirs}/makepkg/src/* r, + owner @{user_config_dirs}/pacman/makepkg.conf r, + + owner /tmp/tmp.* rw, + + owner @{PROC}/@{pid}/maps r, + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 2ab10645..03762a1e 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -24,8 +24,13 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/find rix, /{usr/,}bin/gawk rix, /{usr/,}bin/locate rix, + /{usr/,}bin/pacman rix, /{usr/,}bin/pacman-conf rPx, + /{usr/,}bin/pacsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, /{usr/,}bin/tput rix, + /{usr/,}bin/vim rix, # packages files / r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 97c3a1f4..766c3750 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -19,7 +19,9 @@ profile apport-gtk @{exec_path} { include include + capability fowner, capability sys_ptrace, + capability syslog, network inet stream, network inet6 stream, @@ -28,26 +30,28 @@ profile apport-gtk @{exec_path} { @{exec_path} mr, + @{libexec}/colord-sane rPx, /{usr/,}{s,}bin/killall5 rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{f,}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/ldd rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}lib/@{multiarch}/ld*.so* rix, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/pkexec rPx, # TODO: rCx or something /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/cut rix, /{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg-divert rPx, + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/gdb rCx -> gdb, /{usr/,}bin/gsettings rPx, + /{usr/,}bin/ischroot rix, /{usr/,}bin/journalctl rPx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/ldd rix, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/pkexec rPx, # TODO: rCx or something /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}lib/@{multiarch}/ld*.so* rix, + /usr/share/apport/root_info_wrapper rix, /usr/share/alsa/{,**} r, /usr/share/apport/{,**} r, @@ -68,11 +72,13 @@ profile apport-gtk @{exec_path} { /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, + /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, @{run}/snapd.socket rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, + owner @{run}/user/.mutter-Xwaylandauth.* rw, /tmp/[a-z0-9]* rw, /tmp/apport_core_* rw, @@ -99,6 +105,8 @@ profile apport-gtk @{exec_path} { /{usr/,}bin/iconv rix, /{usr/,}{s,}bin/* r, + /usr/share/gcc/python/**/__pycache__/{,**} rw, + /usr/share/gdb/{,**} r, /usr/share/themes/{,**} r, /usr/share/gnome-shell/{,**} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4a3f57be..37ef9d7a 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -130,6 +130,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/qemu/{,**} r, + /etc/apparmor.d/libvirt/libvirt-@{uuid} r, /etc/libvirt/{,**} rw, /etc/mdevctl.d/{,**} r, /etc/xml/catalog r, diff --git a/apparmor.d/profiles-a-f/amarok b/apparmor.d/profiles-a-f/amarok index b562dcf5..2a5bd0bd 100644 --- a/apparmor.d/profiles-a-f/amarok +++ b/apparmor.d/profiles-a-f/amarok @@ -107,7 +107,7 @@ profile amarok @{exec_path} { owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@@{hex} rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw, diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 36c2cea5..3180ef65 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -7,10 +7,12 @@ abi , include @{exec_path} = /{usr/,}bin/findmnt -profile findmnt @{exec_path} flags=(complain) { +profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include include + capability dac_read_search, + @{exec_path} mr, /etc/fstab r, @@ -18,5 +20,7 @@ profile findmnt @{exec_path} flags=(complain) { @{PROC}/@{pids}/mountinfo r, + deny /apparmor/.null rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 045dfdad..a82c49dd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -65,6 +65,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{exec_path} mr, + /{usr/,}lib/fwupd/fwupd-detect-cet rix, + /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index a26157b8..da0fd3a3 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/plocate-build +@{exec_path} = /{usr/,}{s,}bin/plocate-build profile plocate-build @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/sddm-greeter b/apparmor.d/profiles-s-z/sddm-greeter index bf271b1e..b05ba000 100644 --- a/apparmor.d/profiles-s-z/sddm-greeter +++ b/apparmor.d/profiles-s-z/sddm-greeter @@ -58,9 +58,9 @@ profile sddm-greeter @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/sddm-xsession b/apparmor.d/profiles-s-z/sddm-xsession index 13dc21b7..a3446bdd 100644 --- a/apparmor.d/profiles-s-z/sddm-xsession +++ b/apparmor.d/profiles-s-z/sddm-xsession @@ -121,7 +121,7 @@ profile sddm-xsession @{exec_path} { @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{hex}-@{hex}-@{hex}@{hex} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index e5885ce2..b098df0c 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -105,6 +105,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/{,**} r, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/**.so* mr, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix, @{run}/host/usr/bin/ldconfig rix, @{run}/host/usr/lib{,32,64}/**.so* rm, @@ -141,6 +143,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/ r, owner @{user_share_dirs}/Steam/* r, owner @{user_share_dirs}/Steam/*log* rw, + owner @{user_share_dirs}/Steam/config/config.vdf* rw, + owner @{user_share_dirs}/Steam/logs/{,*} rw, owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw, owner @{user_share_dirs}/Steam/steamapps/ r, owner @{user_share_dirs}/Steam/steamapps/common/ r,