diff --git a/apparmor.d/accounts-daemon b/apparmor.d/accounts-daemon index e0b0acad..5d9ef313 100644 --- a/apparmor.d/accounts-daemon +++ b/apparmor.d/accounts-daemon @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon +@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon +@{exec_path} += /usr/libexec/accounts-daemon profile accounts-daemon @{exec_path} { #include #include diff --git a/apparmor.d/at-spi-bus-launcher b/apparmor.d/at-spi-bus-launcher index 48356706..62f514d5 100644 --- a/apparmor.d/at-spi-bus-launcher +++ b/apparmor.d/at-spi-bus-launcher @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher /usr/libexec/at-spi-bus-launcher +@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher +@{exec_path} += /usr/libexec/at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} { #include #include diff --git a/apparmor.d/at-spi2-registryd b/apparmor.d/at-spi2-registryd index 0cd86bfc..04b82dfc 100644 --- a/apparmor.d/at-spi2-registryd +++ b/apparmor.d/at-spi2-registryd @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd +@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd +@{exec_path} += /usr/libexec/at-spi2-registryd profile at-spi2-registryd @{exec_path} { #include #include diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd index aa6dfd8b..b7db1f1b 100644 --- a/apparmor.d/bluetoothd +++ b/apparmor.d/bluetoothd @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd +@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd +@{exec_path} += /usr/libexec/bluetooth/bluetoothd profile bluetoothd @{exec_path} { #include diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane index cb3dcefb..d1fa9c53 100644 --- a/apparmor.d/colord-sane +++ b/apparmor.d/colord-sane @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/colord/colord-sane /usr/libexec/colord-sane +@{exec_path} = /{usr/,}lib/colord/colord-sane +@{exec_path} += /usr/libexec/colord-sane profile colord-sane @{exec_path} flags=(complain) { #include diff --git a/apparmor.d/dh b/apparmor.d/dh index 9990e066..20db1559 100644 --- a/apparmor.d/dh +++ b/apparmor.d/dh @@ -32,6 +32,10 @@ profile dh @{exec_path} flags=(complain) { /{usr/,}bin/rm rix, /{usr/,}bin/mkdir rix, + /usr/share/python/pyversions.py rCx -> python, + /usr/share/python3/py3versions.py rCx -> python, + /usr/share/dh-python/* rCx -> python, + # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, owner @{BUILD_DIR}/** rcx -> debian-rules, @@ -72,5 +76,37 @@ profile dh @{exec_path} flags=(complain) { } + profile python flags=(complain) { + #include + #include + + /usr/share/python/pyversions.py mr, + /usr/share/python3/py3versions.py mr, + /usr/share/dh-python/* mr, + + /{usr/,}bin/python2.[0-9]* rix, + /{usr/,}bin/python3.[0-9]* rix, + + /usr/share/python/ r, + /usr/share/python/debian_defaults r, + /usr/share/python3/ r, + /usr/share/python3/debian_defaults r, + + /usr/share/dh-python/ r, + /usr/share/dh-python/** r, + + /{usr/,}bin/which rix, + /{usr/,}bin/dash rix, + /{usr/,}bin/dpkg-architecture rPx, + /{usr/,}bin/git rPx, + + owner /media/debuilder/** r, + owner /media/debuilder/**/.pybuild/ rw, + owner /media/debuilder/**/.pybuild/** rw, + + owner @{PROC}/@{pid}/fd/ r, + + } + #include if exists } diff --git a/apparmor.d/dkms b/apparmor.d/dkms index 1b0024db..a2c533e8 100644 --- a/apparmor.d/dkms +++ b/apparmor.d/dkms @@ -48,9 +48,9 @@ profile dkms @{exec_path} { /{usr/,}bin/getconf rix, /{usr/,}bin/xargs rix, - /{usr/,}bin/make rix, - /{usr/,}bin/{,@{multiarch}-}* rix, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, + /{usr/,}bin/make rix, + /{usr/,}bin/{,@{multiarch}-}* rix, + /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, /{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/lsb_release rPx -> child-lsb_release, @@ -85,7 +85,7 @@ profile dkms @{exec_path} { owner @{HOME}/ r, - owner /tmp/cc*.s rw, + owner /tmp/cc* rw, owner /tmp/dkms.*/ rw, owner /tmp/tmp.* rw, owner /tmp/sh-thd.* rw, diff --git a/apparmor.d/dnscrypt-proxy b/apparmor.d/dnscrypt-proxy index 1b9d442a..770b2c20 100644 --- a/apparmor.d/dnscrypt-proxy +++ b/apparmor.d/dnscrypt-proxy @@ -47,6 +47,11 @@ profile dnscrypt-proxy @{exec_path} { owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, + owner /var/cache/dnscrypt-proxy/sf-*.tmp rw, + owner /var/cache/dnscrypt-proxy/relays.md rw, + owner /var/cache/dnscrypt-proxy/relays.md.minisig rw, + owner /var/cache/dnscrypt-proxy/public-resolvers.md rw, + owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index bad412db..96357712 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -67,6 +67,8 @@ profile engrampa @{exec_path} { owner @{HOME}/.config/mimeapps.list{,.*} rw, + owner @{HOME}/.local/share/ r, + /usr/share/engrampa/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/git b/apparmor.d/git index d89e6ef9..9c8df883 100644 --- a/apparmor.d/git +++ b/apparmor.d/git @@ -18,6 +18,7 @@ @{exec_path} = /{usr/,}bin/git profile git @{exec_path} { #include + #include #include #include @@ -61,6 +62,9 @@ profile git @{exec_path} { # Difftools /{usr/,}bin/meld rPUx, + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + owner @{HOME}/.config/git/ rw, owner @{HOME}/.config/git/config rw, @@ -126,5 +130,29 @@ profile git @{exec_path} { } + profile editor flags=(complain) { + #include + #include + + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/dash rix, + /{usr/,}bin/which rix, + + owner @{HOME}/.selected_editor r, + + /usr/share/vim/{,**} r, + /etc/vim/{,**} r, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, + + # The git repository files + owner /media/debuilder/ r, + owner /media/debuilder/** rw, + + } + #include if exists } diff --git a/apparmor.d/smartd b/apparmor.d/smartd index ca506cf5..f2761caa 100644 --- a/apparmor.d/smartd +++ b/apparmor.d/smartd @@ -25,6 +25,8 @@ profile smartd @{exec_path} { # Device: /dev/disk/by-id/ata-*, not available capability sys_rawio, + capability net_admin, + @{exec_path} mr, /etc/smartd.conf r, diff --git a/apparmor.d/suid3num b/apparmor.d/suid3num new file mode 100644 index 00000000..c4bbdf3d --- /dev/null +++ b/apparmor.d/suid3num @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/suid3num +@{exec_path} += /{usr/,}bin/suid3num.py +profile suid3num @{exec_path} { + #include + #include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/bin/dash rix, + /usr/bin/find rix, + + owner @{PROC}/@{pid}/fd/ r, + + / r, + /**/ r, + + deny /media/ r, + deny /media/**/ r, + + #include if exists +} diff --git a/apparmor.d/systemd-modules-load b/apparmor.d/systemd-modules-load index a5b0e7e3..96b55bbe 100644 --- a/apparmor.d/systemd-modules-load +++ b/apparmor.d/systemd-modules-load @@ -21,6 +21,8 @@ profile systemd-modules-load @{exec_path} { # To load kernel modules capability sys_module, + capability net_admin, + @{exec_path} mr, @{sys}/module/*/initstate r, diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill index d68a6385..5b0ff3a6 100644 --- a/apparmor.d/systemd-rfkill +++ b/apparmor.d/systemd-rfkill @@ -18,6 +18,8 @@ profile systemd-rfkill @{exec_path} { #include #include + capability net_admin, + @{exec_path} mr, /dev/rfkill rw, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index a45aaff2..195bac27 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -120,11 +120,13 @@ profile thunderbird @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, - deny owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, - deny owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, # To remove the following error: # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied # (g-file-error-quark, 2) diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd index 7f26f510..753bd64f 100644 --- a/apparmor.d/udisksd +++ b/apparmor.d/udisksd @@ -13,7 +13,8 @@ #include -@{exec_path} = /{usr/,}lib/udisks2/udisksd /usr/libexec/udisks2/udisksd +@{exec_path} = /{usr/,}lib/udisks2/udisksd +@{exec_path} += /usr/libexec/udisks2/udisksd profile udisksd @{exec_path} { #include #include diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd index bedd9963..570dafde 100644 --- a/apparmor.d/upowerd +++ b/apparmor.d/upowerd @@ -20,9 +20,11 @@ profile upowerd @{exec_path} { @{exec_path} mr, # UPower config file + /etc/UPower/ r, /etc/UPower/UPower.conf r, # The history data for the power device + /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, # Are all of these needed? (#FIXME#) diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 17a1242d..083a29fd 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -43,6 +43,8 @@ profile virt-manager @{exec_path} flags=(complain) { /{usr/,}sbin/libvirtd rPx, + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx, + /usr/share/virt-manager/{,**} r, owner @{HOME}/ r, @@ -50,6 +52,9 @@ profile virt-manager @{exec_path} flags=(complain) { owner @{HOME}/.cache/virt-manager/ rw, owner @{HOME}/.cache/virt-manager/** rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + # For disk images /media/ r, /media/*/ r,