From a16d645dcb013cb5519e725529f04f6d8dc8de44 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 18 Jan 2023 22:52:32 +0000 Subject: [PATCH] feat(profile): improve xorg start from xinit. See: #105. --- apparmor.d/profiles-g-l/login | 21 +++++---- apparmor.d/profiles-s-z/startx | 14 ++++-- apparmor.d/profiles-s-z/xauth | 2 + apparmor.d/profiles-s-z/xinit | 85 +++++++++++++--------------------- 4 files changed, 56 insertions(+), 66 deletions(-) diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index f1a59ade..6b0fe12c 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -15,16 +15,18 @@ profile login @{exec_path} flags=(complain) { include include + capability audit_write, capability chown, + capability dac_read_search, + capability fowner, capability fsetid, + capability net_admin, capability setgid, capability setuid, capability sys_resource, - capability audit_write, - capability dac_read_search, -# capability net_admin, + capability sys_tty_config, -# network netlink raw, + network netlink raw, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.* @@ -34,19 +36,20 @@ profile login @{exec_path} flags=(complain) { /{usr/,}bin/{,z,ba,da}sh rUx, - /etc/environment r, - /etc/motd r, - /etc/legal r, /etc/default/locale r, - /etc/security/pam_env.conf r, + /etc/environment r, + /etc/legal r, + /etc/motd r, /etc/security/group.conf r, /etc/security/limits.conf r, /etc/security/limits.d/{,*} r, + /etc/security/pam_env.conf r, + /etc/shells r, /var/log/btmp{,.[0-9]*} r, - @{run}/faillock/root rwk, @{run}/dbus/system_bus_socket rw, + @{run}/faillock/* rwk, @{run}/motd.dynamic{,.new} rw, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index df9e4ef0..8dadc4bf 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,19 +16,22 @@ profile startx @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/deallocvt rix, + /{usr/,}bin/expr rix, /{usr/,}bin/hostname rix, /{usr/,}bin/mcookie rix, /{usr/,}bin/mktemp rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, /{usr/,}bin/rm rix, - /{usr/,}bin/deallocvt rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/uname rix, /{usr/,}bin/xauth rPx, /{usr/,}bin/xinit rPx, + /usr/share/terminfo/** r, + /etc/X11/xinit/xinitrc r, /etc/X11/xinit/xserverrc r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 096d9d23..6c098fc5 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -13,6 +13,8 @@ profile xauth @{exec_path} { @{exec_path} mr, + /Xauthority-c w, + owner @{HOME}/.Xauthority-c w, owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, owner @{HOME}/.Xauthority-n rw, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 616ccf6b..10134205 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -18,36 +19,38 @@ profile xinit @{exec_path} { signal (send) set=(term, kill) peer=xorg, signal (send) set=(hup), + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/head rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, - /{usr/,}bin/ r, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/head rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/id rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/dbus-update-activation-environment rix, - /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgconf rPx, /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/numlockx rPx, - /{usr/,}bin/xhost rPx, - /{usr/,}bin/glxinfo rPx, /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/glxinfo rPx, + /{usr/,}bin/numlockx rPx, + /{usr/,}bin/X rPx, + /{usr/,}bin/xhost rPx, + /{usr/,}bin/Xorg rPx, + /{usr/,}bin/xrdb rPx, # Allowed GUI sessions to start /{usr/,}bin/openbox-session rPx, @@ -55,22 +58,18 @@ profile xinit @{exec_path} { /{usr/,}bin/sway rPUx, /{usr/,}bin/ssh-agent rPx, + /etc/X11/{,**} r, + /etc/default/{,*} r, + + owner @{HOME}/ r, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.xserverrc r, + owner @{HOME}/.xsession-errors w, + owner /tmp/file* rw, owner /tmp/tmp.* rw, - /{usr/,}bin/X rPx, - /{usr/,}bin/Xorg rPx, - - /etc/X11/{,**} r, - - /etc/default/{,*} r, - - # Xsession logs - owner @{HOME}/ r, - owner @{HOME}/.xsession-errors w, - - owner @{HOME}/.Xauthority r, - + /dev/tty rw, profile run-parts { include @@ -86,24 +85,6 @@ profile xinit @{exec_path} { } - profile gpg { - include - - /{usr/,}bin/gpgconf mr, - - /{usr/,}bin/gpg-agent rix, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - @{PROC}/@{pid}/fd/ r, - - # file_inherit - owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - - } - profile udevadm { include