update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2020-09-18 20:05:47 +02:00
parent d1605c62b3
commit a03db72f91
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
18 changed files with 145 additions and 12 deletions

View File

@ -13,7 +13,8 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += /usr/libexec/accounts-daemon
profile accounts-daemon @{exec_path} { profile accounts-daemon @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/wutmp> #include <abstractions/wutmp>

View File

@ -13,7 +13,8 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher /usr/libexec/at-spi-bus-launcher @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
@{exec_path} += /usr/libexec/at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} { profile at-spi-bus-launcher @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>

View File

@ -13,7 +13,8 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd
@{exec_path} += /usr/libexec/at-spi2-registryd
profile at-spi2-registryd @{exec_path} { profile at-spi2-registryd @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>

View File

@ -14,6 +14,7 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/bluetooth/bluetoothd @{exec_path} = /{usr/,}lib/bluetooth/bluetoothd
@{exec_path} += /usr/libexec/bluetooth/bluetoothd
profile bluetoothd @{exec_path} { profile bluetoothd @{exec_path} {
#include <abstractions/base> #include <abstractions/base>

View File

@ -13,7 +13,8 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane /usr/libexec/colord-sane @{exec_path} = /{usr/,}lib/colord/colord-sane
@{exec_path} += /usr/libexec/colord-sane
profile colord-sane @{exec_path} flags=(complain) { profile colord-sane @{exec_path} flags=(complain) {
#include <abstractions/base> #include <abstractions/base>

View File

@ -32,6 +32,10 @@ profile dh @{exec_path} flags=(complain) {
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix, /{usr/,}bin/mkdir rix,
/usr/share/python/pyversions.py rCx -> python,
/usr/share/python3/py3versions.py rCx -> python,
/usr/share/dh-python/* rCx -> python,
# What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
owner @{BUILD_DIR}/** rcx -> debian-rules, owner @{BUILD_DIR}/** rcx -> debian-rules,
@ -72,5 +76,37 @@ profile dh @{exec_path} flags=(complain) {
} }
profile python flags=(complain) {
#include <abstractions/base>
#include <abstractions/python>
/usr/share/python/pyversions.py mr,
/usr/share/python3/py3versions.py mr,
/usr/share/dh-python/* mr,
/{usr/,}bin/python2.[0-9]* rix,
/{usr/,}bin/python3.[0-9]* rix,
/usr/share/python/ r,
/usr/share/python/debian_defaults r,
/usr/share/python3/ r,
/usr/share/python3/debian_defaults r,
/usr/share/dh-python/ r,
/usr/share/dh-python/** r,
/{usr/,}bin/which rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/dpkg-architecture rPx,
/{usr/,}bin/git rPx,
owner /media/debuilder/** r,
owner /media/debuilder/**/.pybuild/ rw,
owner /media/debuilder/**/.pybuild/** rw,
owner @{PROC}/@{pid}/fd/ r,
}
#include if exists <local/dh> #include if exists <local/dh>
} }

View File

@ -50,7 +50,7 @@ profile dkms @{exec_path} {
/{usr/,}bin/make rix, /{usr/,}bin/make rix,
/{usr/,}bin/{,@{multiarch}-}* rix, /{usr/,}bin/{,@{multiarch}-}* rix,
/{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix,
/{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/lsb_release rPx -> child-lsb_release,
@ -85,7 +85,7 @@ profile dkms @{exec_path} {
owner @{HOME}/ r, owner @{HOME}/ r,
owner /tmp/cc*.s rw, owner /tmp/cc* rw,
owner /tmp/dkms.*/ rw, owner /tmp/dkms.*/ rw,
owner /tmp/tmp.* rw, owner /tmp/tmp.* rw,
owner /tmp/sh-thd.* rw, owner /tmp/sh-thd.* rw,

View File

@ -47,6 +47,11 @@ profile dnscrypt-proxy @{exec_path} {
owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/relays.md.minisig rw,
owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md rw,
owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,
owner /var/cache/dnscrypt-proxy/sf-*.tmp rw,
owner /var/cache/dnscrypt-proxy/relays.md rw,
owner /var/cache/dnscrypt-proxy/relays.md.minisig rw,
owner /var/cache/dnscrypt-proxy/public-resolvers.md rw,
owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/hostname r,

View File

@ -67,6 +67,8 @@ profile engrampa @{exec_path} {
owner @{HOME}/.config/mimeapps.list{,.*} rw, owner @{HOME}/.config/mimeapps.list{,.*} rw,
owner @{HOME}/.local/share/ r,
/usr/share/engrampa/{,**} r, /usr/share/engrampa/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

View File

@ -18,6 +18,7 @@
@{exec_path} = /{usr/,}bin/git @{exec_path} = /{usr/,}bin/git
profile git @{exec_path} { profile git @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ssl_certs> #include <abstractions/ssl_certs>
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>
@ -61,6 +62,9 @@ profile git @{exec_path} {
# Difftools # Difftools
/{usr/,}bin/meld rPUx, /{usr/,}bin/meld rPUx,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
owner @{HOME}/.config/git/ rw, owner @{HOME}/.config/git/ rw,
owner @{HOME}/.config/git/config rw, owner @{HOME}/.config/git/config rw,
@ -126,5 +130,29 @@ profile git @{exec_path} {
} }
profile editor flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/dash rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
# The git repository files
owner /media/debuilder/ r,
owner /media/debuilder/** rw,
}
#include if exists <local/git> #include if exists <local/git>
} }

View File

@ -25,6 +25,8 @@ profile smartd @{exec_path} {
# Device: /dev/disk/by-id/ata-*, not available # Device: /dev/disk/by-id/ata-*, not available
capability sys_rawio, capability sys_rawio,
capability net_admin,
@{exec_path} mr, @{exec_path} mr,
/etc/smartd.conf r, /etc/smartd.conf r,

41
apparmor.d/suid3num Normal file
View File

@ -0,0 +1,41 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /{usr/,}bin/suid3num
@{exec_path} += /{usr/,}bin/suid3num.py
profile suid3num @{exec_path} {
#include <abstractions/base>
#include <abstractions/python>
capability sys_ptrace,
ptrace (read),
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/usr/bin/dash rix,
/usr/bin/find rix,
owner @{PROC}/@{pid}/fd/ r,
/ r,
/**/ r,
deny /media/ r,
deny /media/**/ r,
#include if exists <local/suid3num>
}

View File

@ -21,6 +21,8 @@ profile systemd-modules-load @{exec_path} {
# To load kernel modules # To load kernel modules
capability sys_module, capability sys_module,
capability net_admin,
@{exec_path} mr, @{exec_path} mr,
@{sys}/module/*/initstate r, @{sys}/module/*/initstate r,

View File

@ -18,6 +18,8 @@ profile systemd-rfkill @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/systemd-common> #include <abstractions/systemd-common>
capability net_admin,
@{exec_path} mr, @{exec_path} mr,
/dev/rfkill rw, /dev/rfkill rw,

View File

@ -120,11 +120,13 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
deny owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r, deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
deny owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
# To remove the following error: # To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2) # (g-file-error-quark, 2)

View File

@ -13,7 +13,8 @@
#include <tunables/global> #include <tunables/global>
@{exec_path} = /{usr/,}lib/udisks2/udisksd /usr/libexec/udisks2/udisksd @{exec_path} = /{usr/,}lib/udisks2/udisksd
@{exec_path} += /usr/libexec/udisks2/udisksd
profile udisksd @{exec_path} { profile udisksd @{exec_path} {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice-strict> #include <abstractions/nameservice-strict>

View File

@ -20,9 +20,11 @@ profile upowerd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# UPower config file # UPower config file
/etc/UPower/ r,
/etc/UPower/UPower.conf r, /etc/UPower/UPower.conf r,
# The history data for the power device # The history data for the power device
/var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw, /var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#) # Are all of these needed? (#FIXME#)

View File

@ -43,6 +43,8 @@ profile virt-manager @{exec_path} flags=(complain) {
/{usr/,}sbin/libvirtd rPx, /{usr/,}sbin/libvirtd rPx,
/{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
/usr/share/virt-manager/{,**} r, /usr/share/virt-manager/{,**} r,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -50,6 +52,9 @@ profile virt-manager @{exec_path} flags=(complain) {
owner @{HOME}/.cache/virt-manager/ rw, owner @{HOME}/.cache/virt-manager/ rw,
owner @{HOME}/.cache/virt-manager/** rw, owner @{HOME}/.cache/virt-manager/** rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw,
# For disk images # For disk images
/media/ r, /media/ r,
/media/*/ r, /media/*/ r,