mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Profiles update.

Browse source
This commit is contained in:
Alexandre Pujol 2021-10-07 14:50:46 +01:00
parent f7a08b666d
commit 9c8c2144b8
Failed to generate hash of commit
26 changed files with 186 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/browsers/chromium-chromium
View file

@ -11,7 +11,7 @@ include <tunables/global>
@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium
@{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium
profile chromium-chromium @{exec_path} {
profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>

1
apparmor.d/groups/bus/dbus-daemon
View file

@ -19,6 +19,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term, kill),
signal (receive) set=(term, hup) peer=gdm*,
signal (send) set=(term, kill) peer=at-spi-bus-launcher,
network netlink raw,

1
apparmor.d/groups/desktop/at-spi-bus-launcher
View file

@ -18,6 +18,7 @@ profile at-spi-bus-launcher @{exec_path} {
deny capability sys_nice,
signal (receive) set=(term hup) peer=gdm*,
signal (receive) set=(term hup) peer=dbus-daemon,
signal (send) set=(term, kill) peer=dbus-daemon,
network inet stream,

4
apparmor.d/groups/gnome/gnome-shell
View file

@ -79,6 +79,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/gnome-shell/{,**} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
owner @{user_cache_dirs}/gnome-photos/{,**} r,

5
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -30,6 +30,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-system-monitor/{,**} r,
/usr/share/pixmaps/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,

2
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -7,8 +7,6 @@ abi <abi/3.0>,
include <tunables/global>
# DENIED operation="mount" info="failed mntpnt match" error=-13 profile="gvfsd-fuse" name="/home/alex/.cache/gvfs/" comm="gvfsd-fuse" fstype="fuse.gvfsd-fuse" srcname="gvfsd-fuse" flags="rw, nosuid, nodev"
@{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse
@{exec_path} += @{libexec}/gvfsd-fuse
profile gvfsd-fuse @{exec_path} {

2
apparmor.d/groups/pacman/pacman
View file

@ -60,11 +60,13 @@ profile pacman @{exec_path} {
/{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
/{usr/,}bin/install-info rPx,
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/killall rPx,
/{usr/,}bin/pacdiff rPx,
/{usr/,}bin/pacman-key rPx,
/{usr/,}bin/sysctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-* rPx,
/{usr/,}bin/update-ca-trust rPx,
/{usr/,}bin/update-desktop-database rPx,
/{usr/,}bin/update-mime-database rPx,

1
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -11,6 +11,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
include <abstractions/base>
capability dac_read_search,
capability mknod,
@{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-backlight
View file

@ -38,5 +38,5 @@ profile systemd-backlight @{exec_path} flags=(complain) {
/var/lib/systemd/backlight/*backlight* rw,
include if exists <local/systemd-backlight>
}

4
apparmor.d/groups/systemd/systemd-coredump
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-coredump
profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/openssl>

3
apparmor.d/groups/systemd/systemd-detect-virt
View file

@ -20,5 +20,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
# Inherit silencer
deny /apparmor/.null rw,
include if exists <local/systemd-detect-virt>
}

14
apparmor.d/profiles-a-f/apparmor.systemd
View file

@ -9,21 +9,33 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/xargs rix,
/{usr/,}{s,}bin/aa-status rPx,
/{usr/,}sbin/apparmor_parser rPx,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}lib/apparmor/rc.apparmor.functions r,
/etc/apparmor.d/ r,
@{sys}/fs/cgroup/systemd/ r,
@{sys}/kernel/security/apparmor/{,**} r,
@{sys}/module/apparmor/ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/mounts r,
@{PROC}/filesystems r,
@{PROC}/mounts r,
/dev/tty rw,
include if exists <local/apparmor.systemd>
}

5
apparmor.d/profiles-a-f/dkms
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/dkms
profile dkms @{exec_path} {
profile dkms @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -96,6 +96,9 @@ profile dkms @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/osrelease r,
# Inherit silencer
deny /apparmor/.null rw,
profile kmod {
include <abstractions/base>
include <abstractions/consoles>

5
apparmor.d/profiles-a-f/fwupd
View file

@ -32,6 +32,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/{usr/,}bin/gpgsm rCx -> gpg,
/etc/pki/fwupd/** r,
/etc/pki/fwupd-metadata/** r,
/etc/fwupd/** r,
/usr/share/fwupd/** r,
@ -73,7 +74,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/efi/** r,
@{sys}/firmware/efi/efivars/BootNext-* rw,
@{sys}/firmware/efi/efivars/fwupd-ux-capsule-* rw,
@{sys}/firmware/efi/efivars/fwupd-* rw,
@{sys}/kernel/security/lockdown r,
@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
@{sys}/power/mem_sleep r,
@ -90,6 +91,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_read_search,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,

39
apparmor.d/profiles-g-l/htop
View file

@ -17,8 +17,6 @@ profile htop @{exec_path} {
capability sys_nice,
capability sys_ptrace,
# Needed? (for system state)
audit deny capability net_admin,
signal (send),
ptrace (read),
@ -38,45 +36,46 @@ profile htop @{exec_path} {
owner @{PROC}/@{pid}/smaps_rollup r,
@{PROC}/ r,
@{PROC}/diskstats r,
@{PROC}/loadavg r,
@{PROC}/uptime r,
@{PROC}/tty/drivers r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,
@{PROC}/pressure/memory r,
@{PROC}/diskstats r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/autogroup rw,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/ r,
@{PROC}/@{pids}/task/@{tid}/attr/current r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/task/@{tid}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/io r,
@{PROC}/@{pids}/task/@{tid}/comm r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{sys}/class/hwmon/ r,
@{sys}/class/i2c-adapter/ r,

5
apparmor.d/profiles-g-l/kernel-install
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/kernel-install
profile kernel-install @{exec_path} flags=(complain) {
profile kernel-install @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@ -60,9 +60,6 @@ profile kernel-install @{exec_path} flags=(complain) {
/{usr/,}bin/kmod mr,
#@{PROC}/cmdline r,
#@{PROC}/modules r,
}
include if exists <local/kernel-install>

18
apparmor.d/profiles-m-r/man
View file

@ -37,6 +37,21 @@ profile man @{exec_path} {
/{usr/,}bin/tr rCx -> man_filter,
/{usr/,}bin/xz rCx -> man_filter,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/usr/**/man/** r,
/var/**/man/** r,
/var/cache/man/index.db rk,
/etc/man_db.conf r,
/dev/tty r,
include if exists <local/man>
}
profile man_groff {
include <abstractions/base>
include <abstractions/consoles>
@ -89,6 +104,3 @@ profile man @{exec_path} {
/var/cache/man/** w,
}
include if exists <local/man>
}

2
apparmor.d/profiles-m-r/pass
View file

@ -49,7 +49,7 @@ profile pass @{exec_path} {
# Pass extensions
/{usr/,}bin/oathtool rix, # pass-otp
/{usr/,}bin/python3.[0-9]* rPx -> pass-extension-python, # pass-import, pass-audit
/{usr/,}bin/python3.[0-9]* rPx -> pass-import, # pass-import
/{usr/,}bin/qrencode rPUx, # pass-otp
/{usr/,}bin/tomb rPUx, # pass-tomb

3
apparmor.d/profiles-m-r/pipewire
View file

@ -12,9 +12,6 @@ profile pipewire @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
ptrace (read) peer=pipewire-media-session,
ptrace (read) peer=pipewire-pulse,
# Needed for all sound/music apps.
ptrace (read),

3
apparmor.d/profiles-m-r/pipewire-pulse
View file

@ -12,9 +12,6 @@ profile pipewire-pulse @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
ptrace (read) peer=pipewire,
ptrace (read) peer=pipewire-media-session,
# Needed for all sound/music apps.
ptrace (read),

28
apparmor.d/profiles-s-z/syncthing
View file

@ -1,20 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SYNC_DIR} = @{HOME}/Sync/
@{SYNC_DIR} += @{MOUNTS}/*/syncthing/
@{exec_path} = /{usr/,}bin/syncthing
profile syncthing @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
@ -27,21 +25,20 @@ profile syncthing @{exec_path} {
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ip rix,
owner @{HOME}/ r,
owner @{user_config_dirs}/syncthing/ rw,
owner @{user_config_dirs}/syncthing/** rwk,
@{SYNC_DIR}/{,**} rw,
/usr/share/mime/{,*} r,
/etc/mime.types r,
@{PROC}/sys/net/core/somaxconn r,
owner @{user_config_dirs}/syncthing/{,**} rwk,
owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk,
@{HOME}/ r,
@{user_sync_dirs}/{,**} rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Silecne the noise
deny /etc/ssl/certs/java/ r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/@{pids}/net/route r,
profile open {
include <abstractions/base>
@ -55,15 +52,14 @@ profile syncthing @{exec_path} {
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/firefox rPx,
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/syncthing>

3
apparmor.d/profiles-s-z/update-desktop-database
View file

@ -11,6 +11,9 @@ profile update-desktop-database @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_override,
capability dac_read_search,
@{exec_path} mr,
/usr/share/applications/{,**/} r,

50
apparmor.d/profiles-s-z/virt-manager
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,23 +11,23 @@ include <tunables/global>
@{exec_path} += /usr/share/virt-manager/virt-manager
profile virt-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/X>
include <abstractions/vulkan>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/devices-usb>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gstreamer>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/gstreamer>
include <abstractions/vulkan>
include <abstractions/X>
network inet stream,
network inet6 stream,
@ -55,6 +55,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
/usr/share/virtio/{,*} r,
/var/lib/usbutils/*.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/fstab r,
/etc/libnl/classid r,
/etc/libva.conf r,
@ -81,25 +84,24 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/route r,
@{run}/mount/utab r,
@{run}/udev/data/c51[0-9]:[0-9]* r,
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/virtual/drm/ttm/uevent r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/net/route r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/dev/video[0-9]* rw,
# Silence the noise
deny /usr/share/virt-manager/{,**} w,

5
apparmor.d/profiles-s-z/xdg-dbus-proxy
View file

@ -12,6 +12,11 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
@{exec_path} mr,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,

5
apparmor.d/profiles-s-z/xdg-mime
View file

@ -46,6 +46,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{HOME}/.Xauthority r,
owner @{run}/user/@{uid}/ r,

4
apparmor.d/tunables/xdg-user-dirs
View file

@ -24,6 +24,7 @@
@{XDG_PROJECTS_DIR}="Projects"
@{XDG_BOOKS_DIR}="Books"
@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"
@{XDG_SYNC_DIR}="Sync"
@{XDG_VM_DIR}=".vm"
# User personal keyrings
@ -48,6 +49,9 @@
@{user_pkg_dirs}="/tmp/pkg/"
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
# Other user directories
@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories
include <tunables/xdg-user-dirs.d>