From 969292675227d39c242a42a8cebb7e20af47eda2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Jul 2022 23:57:25 +0100 Subject: [PATCH] feat(profiles): general update. --- .../abstractions/dbus-session-strict.d/complete | 9 +++------ apparmor.d/abstractions/lxc/start-container | 2 +- apparmor.d/groups/apt/apt | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 6 +----- apparmor.d/groups/bus/dbus-daemon | 2 ++ apparmor.d/groups/freedesktop/at-spi-bus-launcher | 1 + apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 3 ++- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-color | 11 +++-------- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 ++ apparmor.d/groups/ubuntu/software-properties-gtk | 1 + apparmor.d/profiles-g-l/hugo | 13 ++++++++++--- 13 files changed, 30 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 1dc40e4c..2bb0b4a8 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -2,13 +2,10 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (connect, send, receive, accept) - type=stream - addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, receive, send, accept) - type=stream - peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container index 9b9bdd43..9e2e8f2e 100644 --- a/apparmor.d/abstractions/lxc/start-container +++ b/apparmor.d/abstractions/lxc/start-container @@ -11,7 +11,7 @@ # currently blocked by apparmor bug mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,}, - mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, + mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 017fd58e..d81143b6 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -29,6 +29,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, + unix (receive, send) type=stream peer=(label=apt-esm-json-hook), + dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa80efa9..1961f712 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -34,11 +34,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 13411ae8..ec863a5a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -46,6 +46,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index de6d51d8..c663b666 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -17,6 +17,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (send) set=(term hup kill) peer=dbus-daemon, network inet stream, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 8b4fafa4..0fbe6c05 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -51,7 +51,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, + member={CheckPermissions,StateChanged,PropertiesChanged}, dbus bind bus=system name=org.freedesktop.GeoClue2, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 50ae01f2..6362ac80 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -25,8 +25,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=at-spi-bus-launcher, + signal (send) set=(term) peer=gsd-*, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cb04fd5d..978e949d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -124,7 +124,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, /opt/*/**/*.png r, - /snap/*/@{uid}/*.png r, + /snap/*/@{uid}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 18f0eec6..e2d9852b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,18 +18,13 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager, + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={FindDeviceByProperty,GetDevices,CreateDevice}, - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,ProfileAdded}, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 97ab7349..d44f5110 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -11,6 +11,8 @@ profile apt-esm-json-hook @{exec_path} { include include + unix (receive, send) type=stream peer=(label=apt), + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 1d5a0e58..1f0d4603 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -21,6 +21,7 @@ profile software-properties-gtk @{exec_path} { /{usr/,}bin/aplay rPx, /{usr/,}bin/apt-key rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/ubuntu-advantage rPx, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 7482a9f0..3e298ef3 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,23 +10,30 @@ include @{exec_path} = /{usr/,}bin/hugo profile hugo @{exec_path} { include + include + include network inet stream, network inet6 stream, @{exec_path} mr, - /{usr/,}bin/git rPx, + /{usr/,}bin/git rix, + /{usr/,}lib/go/bin/go rix, + /{usr/,}lib/git-core/git-remote-http rix, + /usr/share/git-core/{,**} r, /usr/share/mime/{,**} r, + /usr/share/terminfo/x/xterm-256color r, /etc/mime.types r, owner @{user_projects_dirs}/{,**} rw, owner @{user_projects_dirs}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/**/go.{mod,sum} rwk, - owner /tmp/hugo_cache/ rw, - owner /tmp/hugo_cache/**/ rw, + owner /tmp/hugo_cache/{,**} rwk, + owner /tmp/go-codehost-[0-9]* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,