From 96b8f96137e4c60333739da07c63a7e34b0b7f2c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Aug 2023 23:23:47 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/X-strict | 5 +- apparmor.d/abstractions/deny-sensitive-home | 4 +- apparmor.d/abstractions/systemd-common | 1 + .../groups/akonadi/akonadi_archivemail_agent | 4 +- .../groups/akonadi/akonadi_contacts_resource | 4 +- .../akonadi/akonadi_maildispatcher_agent | 2 + apparmor.d/groups/children/child-open | 2 +- apparmor.d/groups/children/child-systemctl | 1 + apparmor.d/groups/freedesktop/xhost | 12 +--- apparmor.d/groups/freedesktop/xkbcomp | 4 +- apparmor.d/groups/freedesktop/xrdb | 12 ++-- apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/groups/kde/kconf_update | 61 +++++++++++++------ apparmor.d/groups/kde/kde-powerdevil | 8 +-- apparmor.d/groups/kde/kded5 | 19 +++--- apparmor.d/groups/kde/kioslave5 | 31 ++++++++-- apparmor.d/groups/kde/plasmashell | 14 +++-- apparmor.d/groups/kde/sddm | 11 +++- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/systemd-homed | 2 - apparmor.d/groups/systemd/systemd-journald | 3 +- apparmor.d/groups/systemd/systemd-logind | 1 - apparmor.d/groups/systemd/systemd-machined | 2 - apparmor.d/groups/systemd/systemd-oomd | 3 +- apparmor.d/groups/systemd/systemd-resolved | 2 - apparmor.d/groups/systemd/systemd-timesyncd | 2 - .../groups/systemd/systemd-vconsole-setup | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-g-l/localepurge | 52 ++++++++-------- apparmor.d/profiles-m-r/needrestart | 1 + .../profiles-m-r/needrestart-apt-pinvoke | 5 ++ apparmor.d/profiles-s-z/steam | 40 ++++++------ apparmor.d/profiles-s-z/whiptail | 2 + 33 files changed, 185 insertions(+), 131 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9a32f161..b493925a 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -13,6 +13,7 @@ unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /tmp/.X11-unix/* rw, /tmp/.ICE-unix/* rw, + /tmp/.X{0,1}-lock rw, # Available Xsessions /usr/share/xsessions/{,*.desktop} r, @@ -23,10 +24,10 @@ # Xauthority files required for X connections, per user owner @{HOME}/.Xauthority r, - owner /tmp/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int}, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index dbc6afc8..389c0236 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -28,8 +28,8 @@ deny @{HOME}/.fetchmail* mrwkl, deny @{HOME}/.lesshst* mrwkl, deny @{HOME}/.mozilla/{,**} mrwkl, - deny @{HOME}/.mutt** mrwkl, - deny @{HOME}/.thunderbird mrwkl, + deny @{HOME}/.mutt* mrwkl, + deny @{HOME}/.thunderbird/{,**} mrwkl, deny @{HOME}/.viminfo* mrwkl, deny @{HOME}/.wget-hsts mrwkl, deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index fcbf16eb..db222633 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -18,5 +18,6 @@ /dev/kmsg w, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index bbc76ba8..56396c49 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -46,7 +46,9 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - + + owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, + @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index ba898500..e0a67c16 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -21,6 +21,7 @@ profile akonadi_contacts_resource @{exec_path} { @{exec_path} mr, + /usr/share/akonadi/plugins/serializer/{,*.desktop} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, @@ -39,7 +40,8 @@ profile akonadi_contacts_resource @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/contacts/ r, - + owner @{user_share_dirs}/contacts/*.vcf w, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index 3477c53e..15ce2713 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -46,6 +46,8 @@ profile akonadi_maildispatcher_agent @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/specialmailcollectionsrc r, + owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 78f472f2..ddd2f86b 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -88,7 +88,7 @@ profile child-open { @{bin}/thunderbird rPx, @{bin}/transmission-gtk rPx, @{bin}/viewnior rPUx, - @{bin}/vlc rPx, + @{bin}/vlc rPUx, @{bin}/xarchiver rPx, @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 77a1f17f..6aab1225 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -53,6 +53,7 @@ profile child-systemctl flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 76c3802c..a42124b9 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -10,20 +10,14 @@ include profile xhost @{exec_path} { include include - - unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), + include @{exec_path} mr, - owner @{HOME}/.Xauthority r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - - /tmp/.X11-unix/* rw, - - # file_inherit - /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, + # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 500e1070..289b3bff 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -10,11 +10,10 @@ include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + include - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings), @{exec_path} mr, @@ -23,7 +22,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /var/lib/xkb/server-@{int}.xkm w, /var/lib/xkb/compiled/server-@{int}.xkm rw, - owner @{HOME}/.Xauthority r, owner @{HOME}/*.{xkb,xkm} rw, owner @{user_share_dirs}/xorg/Xorg.@{int}.log w, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index a471fb2a..53fe9aeb 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -14,11 +14,11 @@ profile xrdb @{exec_path} { @{exec_path} mr, - @{bin}/{,*-}cpp-[0-9]* rix, - @{bin}/{,ba,da}sh rix, - @{bin}/cpp rix, - @{lib}/gcc/*/@{int}/cc1 rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,*-}cpp-[0-9]* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cpp rix, + @{lib}/gcc/@{multiarch}/@{int}*/cc1 rix, + @{lib}/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, /usr/etc/X11/xdm/Xresources r, @@ -37,7 +37,7 @@ profile xrdb @{exec_path} { owner /tmp/plasma-apply-lookandfeel.* r, owner /tmp/runtime-*/xauth_@{rand6} r, owner /tmp/startplasma-x11.@{rand6} r, - owner /tmp/xauth-[0-9]*-_[0-9] r, + owner /tmp/xauth-@{int}-_[0-9] r, @{run}/sddm/\{@{uuid}\} r, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 3b265384..0ffe712c 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -18,6 +18,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, + signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 7ffde8d1..dcef056d 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -9,6 +9,11 @@ include @{exec_path} = @{lib}/kf5/kconf_update profile kconf_update @{exec_path} { include + include + include + include + include + include include include @@ -35,32 +40,48 @@ profile kconf_update @{exec_path} { /etc/xdg/kdeglobals r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/akregatorrc r, - owner @{user_config_dirs}/kateschemarc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kconf_updaterc r, - owner @{user_config_dirs}/kconf_updaterc.lock rk, - owner @{user_config_dirs}/kconf_updaterc* rwl, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals.lock rk, - owner @{user_config_dirs}/kdeglobals* rwl, - owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/kmixrc r, - owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/akregatorrc.lock rwk, + owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/dolphinrc.lock rwk, + owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kateschemarc.lock rwk, + owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kcminputrc.lock rwk, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kconf_updaterc.lock rwk, + owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/khotkeysrc.lock rwk, + owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kmixrc.lock rwk, + owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/konsolerc.lock rwk, + owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/krunnerrc.lock rwk, + owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/krunnerstaterc.lock rwk, + owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kscreenlockerrc.lock rwk, + owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc.lock rwk, + owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrulesrc rw, - owner @{user_config_dirs}/kwinrulesrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc.lock rwk, - owner @{user_config_dirs}/kxkbrc rw, - owner @{user_config_dirs}/kxkbrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kxkbrc.lock rwk, + owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/plasmashellrc r, + owner @{user_share_dirs}/#@{int} rw, + owner /tmp/#@{int} rw, - owner /tmp/kconf_update.@{rand6} rwl, + owner /tmp/kconf_update.@{rand6}.lock rwk, + owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, @{PROC}/@{sys}/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d8c5e244..6fd737cb 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -32,12 +32,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/powerdevilrc rwl, owner @{user_config_dirs}/powerdevilrc.lock rwk, - owner @{user_config_dirs}/powermanagementprofilesrc r, - owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, + owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}kcrash_[0-9]* rw, @@ -49,7 +47,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/bus/ r, - @{sys}/devices/pci[0-9]*/@{int}/drm/card@{int}/*/status r, + @{sys}/devices/@{pci}/drm/card@{int}/*/status r, /dev/tty rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index ab66d94f..e2f5e834 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -72,23 +72,23 @@ profile kded5 @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/bluedevilglobalrc rk, - owner @{user_config_dirs}/bluedevilglobalrc* rwkl, + owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, + owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, + owner @{user_config_dirs}/gtk-{3,4}/settings.ini.lock rk, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kconf_updaterc r, owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdebugrc r, owner @{user_config_dirs}/kded5rc.lock rwk, - owner @{user_config_dirs}/kded5rc* rwl, + owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdedefaults/{,**} r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc* rwl, - owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ktimezonedrc r, owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc* rwl, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, @@ -99,9 +99,9 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, - owner @{user_share_dirs}/kcookiejar/#*[0-9] rw, - owner @{user_share_dirs}/kcookiejar/cookies rw, - owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk, + owner @{user_share_dirs}/kcookiejar/#@{int} rw, + owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/kded5/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices5/{,**} r, @@ -109,6 +109,7 @@ profile kded5 @{exec_path} { owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, + @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/kded5*kioworker.socket rwl, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index 4d5a0ca4..a04c85eb 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -9,7 +9,9 @@ include @{exec_path} = @{lib}/kf5/kioslave5 profile kioslave5 @{exec_path} { include + include include + include include include include @@ -18,6 +20,7 @@ profile kioslave5 @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -26,6 +29,7 @@ profile kioslave5 @{exec_path} { network netlink raw, network netlink dgram, + signal (receive) set=term peer=dolphin, signal (receive) set=term peer=firefox-kmozillahelper, signal (receive) set=term peer=plasmashell, @@ -39,6 +43,7 @@ profile kioslave5 @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/*.desktop r, + /usr/share/mime/ r, /etc/fstab r, /etc/xdg/kdeglobals r, @@ -46,11 +51,24 @@ profile kioslave5 @{exec_path} { /etc/xdg/kwinrc r, /etc/xdg/menus/{,**} r, - owner @{MOUNTDIRS}/** r, + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner /tmp/{,**} rw, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + # Silence non user's data + deny /boot/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/thumbnails/*/ r, @@ -61,8 +79,11 @@ profile kioslave5 @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_share_dirs}/baloo/index-lock rwk, owner @{user_share_dirs}/baloo/index rw, + owner @{user_share_dirs}/baloo/index-lock rwk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0fbc0e8d..0d279606 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -35,7 +35,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network inet6 stream, network netlink raw, - ptrace read peer=pinentry-qt, + ptrace (read) peer=pinentry-qt, + ptrace (read) peer=kded5, signal (send), @@ -101,10 +102,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/ksycoca5_* rl, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk, + owner @{user_cache_dirs}/plasma-svgelements.{,@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements* rwl, owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, + owner @{user_cache_dirs}/bookmarksrunner/ rw, + owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/*kde*.desktop* r, @@ -116,9 +118,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kactivitymanagerd-statsrc r, owner @{user_config_dirs}/{KDE,kde.org}/ rw, owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int}, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klipperrc r, @@ -149,6 +149,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma/plasmoids/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner /tmp/#@{int} rw, + @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 6904bdae..abd0e1a6 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -26,6 +26,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, capability fowner, + capability kill, capability net_admin, capability setgid, capability setuid, @@ -35,7 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, ptrace (trace) peer=@{profile_name}, + ptrace (read) peer=unconfined, + ptrace (read) peer=kwalletd5, + signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, @{exec_path} mr, @@ -116,9 +120,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/ w, owner @{user_share_dirs}/kwalletd/ rw, - owner @{user_share_dirs}/kwalletd/kdewallet.salt r, owner @{user_share_dirs}/kwalletd/kdewallet.salt rw, owner @{user_share_dirs}/sddm/ w, + owner @{user_share_dirs}/sddm/wayland-session.log w, owner @{user_share_dirs}/sddm/xorg-session.log w, /tmp/sddm-* rw, @@ -130,6 +134,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, + @{run}/sddm/#@{int} rw, @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, @{run}/systemd/sessions/*.ref rw, @{run}/user/@{uid}/xauth_@{rand6} rwl, @@ -137,7 +142,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kwallet5.socket rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/ r, + @{PROC}/uptime r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 77157542..9bc85d0a 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -13,6 +13,7 @@ profile bootctl @{exec_path} { include capability mknod, + capability net_admin, signal (send) peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index ddd78fdb..4c09badd 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -68,8 +68,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, - @{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw, - @{PROC}/devices r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b6182579..1f537f6b 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,7 +30,8 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{md5}/{,*} rw -> /{run,var}/log/journal/@{md5}/**, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int}, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 638d4623..0c8288cd 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -128,7 +128,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw, @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 4572a2d3..7b62e994 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -71,7 +71,5 @@ profile systemd-machined @{exec_path} { @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/notify w, - @{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 62a1ae1e..d81c2669 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/systemd/systemd-oomd profile systemd-oomd @{exec_path} flags=(attach_disconnected) { include - include include + include capability dac_override, capability kill, @@ -33,7 +33,6 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, @{PROC}/pressure/{cpu,io,memory} r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index b5436e56..4637e76a 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -55,8 +55,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, owner @{run}/systemd/journal/socket w, - owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw, - @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index cb1adebe..eb4d7264 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -37,8 +37,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - @{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw, - owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{run}/resolvconf/*.conf r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 7820b560..daf9a1a4 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -34,7 +34,7 @@ profile systemd-vconsole-setup @{exec_path} { @{sys}/module/vt/parameters/default_utf8 w, - /dev/tty@{int} rw, + /dev/tty@{int} rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index b0da3ebe..d2eca8f1 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/{dumpe2fs,e2mmpstatus} +@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index c4eee28c..62ea8ead 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,48 +13,47 @@ profile localepurge @{exec_path} { include @{exec_path} r, - @{bin}/{,ba,da}sh rix, - @{bin}/fgrep rix, - @{bin}/chmod rix, - @{bin}/mkdir rix, - @{bin}/touch rix, - @{bin}/ls rix, + @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, - @{bin}/sort rix, + @{bin}/basename rix, + @{bin}/chmod rix, + @{bin}/du rix, + @{bin}/fgrep rix, + @{bin}/find rix, + @{bin}/ls rix, + @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/rm rix, + @{bin}/sort rix, + @{bin}/touch rix, @{bin}/tr rix, - @{bin}/du rix, @{bin}/xargs rix, - @{bin}/basename rix, - @{bin}/find rix, @{bin}/df rPx, - owner @{PROC}/@{pid}/fd/ r, + # Dirs cleaned from locales + /usr/share/{gnome/,}help/{,**/} r, + /usr/share/{gnome/,}help/**/** w, + /usr/share/{locale,man,omf,calendar}/{,**/} r, + /usr/share/{locale,man,omf,calendar}/**/** w, + /usr/share/aptitude/{,*} r, + /usr/share/aptitude/* w, + /usr/share/cups/{templates,locale,doc-root}/{,**/} r, + /usr/share/cups/{templates,locale,doc-root}/**/** w, + /usr/share/vim/ r, + /usr/share/vim/vim[0-9]*/lang/{,**/} r, + /usr/share/vim/vim[0-9]*/lang/**/** w, + /usr/share/X11/locale/**/** w, /etc/locale.nopurge r, owner /var/cache/localepurge/localelist r, owner /var/cache/localepurge/localelist-new{,.temp} rw, - # Dirs cleaned from locales - /usr/share/{locale,man,omf,calendar}/{,**/} r, - /usr/share/{locale,man,omf,calendar}/**/** w, - /usr/share/{gnome/,}help/{,**/} r, - /usr/share/{gnome/,}help/**/** w, - /usr/share/cups/{templates,locale,doc-root}/{,**/} r, - /usr/share/cups/{templates,locale,doc-root}/**/** w, - /usr/share/vim/ r, - /usr/share/vim/vim[0-9]*/lang/{,**/} r, - /usr/share/vim/vim[0-9]*/lang/**/** w, - /usr/share/X11/locale/{,**/} r, - /usr/share/X11/locale/**/** w, - /usr/share/aptitude/{,*} r, - /usr/share/aptitude/* w, - /tmp/ r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index e628de5f..8c5ddd4c 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -17,6 +17,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability checkpoint_restore, capability dac_read_search, + capability kill, capability sys_ptrace, ptrace (read), diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 54755420..edc1adb6 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -12,6 +12,11 @@ profile needrestart-apt-pinvoke @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 4bc831a7..793a4ab3 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -6,7 +6,7 @@ abi , include -@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64} +@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64} @{exec_path} = @{user_share_dirs}/Steam/steam.sh profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include @@ -84,20 +84,20 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) @{bin}/zenity rix, @{lib}/ld-linux.so* rix, - @{steam_lib_dirs}/*.so* mr, - @{steam_lib_dirs}/*driverquery rix, - @{steam_lib_dirs}/fossilize_replay rpx, - @{steam_lib_dirs}/gameoverlayui rpx, - @{steam_lib_dirs}/panorama/** rm, - @{steam_lib_dirs}/reaper rpx, - @{steam_lib_dirs}/steam rix, - @{steam_lib_dirs}/steam-runtime-heavy.sh rix, - @{steam_lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix, - @{steam_lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix, - @{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix, - @{steam_lib_dirs}/steamwebhelper rix, - @{steam_lib_dirs}/steamwebhelper.sh rix, - @{steam_lib_dirs}/swiftshader/* rm, + @{lib_dirs}/*.so* mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, + @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/panorama/** rm, + @{lib_dirs}/reaper rpx, + @{lib_dirs}/steam rix, + @{lib_dirs}/steam-runtime-heavy.sh rix, + @{lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix, + @{lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh rix, + @{lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper.sh rix, + @{lib_dirs}/swiftshader/* rm, @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr, @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx, @@ -113,14 +113,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) /etc/machine-id r, /var/lib/dbus/machine-id r, + @{bin}/ r, + @{lib}/ r, / r, /{usr/,}{local/,} r, /{usr/,}{local/,}share/ r, - @{lib}/ r, /etc/ r, /home/ r, /run/ r, - /usr/bin/ r, /var/ r, owner @{HOME}/ r, @@ -149,18 +149,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/shm/#@{int} rw, - owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /tmp/dumps/ rw, - owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw, + owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/miles_image_* mrw, owner /tmp/runtime-info.txt.* rwk, owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, + owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 7725ee3b..9a54992a 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -12,6 +12,8 @@ profile whiptail @{exec_path} flags=(complain) { include include + capability dac_read_search, + @{exec_path} mr, /etc/newt/palette.ubuntu r,