feat(profile): general update.

2025-01-18 00:48:10 +01:00 · 2023-12-13 20:09:52 +00:00 · 2023-12-13 20:09:52 +00:00 · a1b86b56d2
commit a1b86b56d2
parent ecb7f2e79f
31 changed files with 75 additions and 131 deletions
--- a/apparmor.d/abstractions/apt-common
+++ b/apparmor.d/abstractions/apt-common
@ -4,6 +4,9 @@
  abi <abi/3.0>,
  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,
  /etc/apt/apt.conf r,
  /etc/apt/apt.conf.d/{,*} r,
@ -20,9 +23,6 @@
  /var/cache/apt/pkgcache.bin r,
  /var/cache/apt/srcpkgcache.bin r,
  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,
  /var/lib/dpkg/status r,
  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
--- a/apparmor.d/abstractions/bus/org.freedesktop.network1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.network1
@ -0,0 +1,10 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  dbus send bus=system path=/org/freedesktop/network1
       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name=org.freedesktop.network1, label=systemd-networkd),
  include if exists <abstractions/bus/org.freedesktop.network1.d>
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -40,6 +40,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-read>
  include <abstractions/vulkan>
 #   userns,
  capability sys_admin, # If kernel.unprivileged_userns_clone = 1
  capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
  capability sys_ptrace,
--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@ -12,15 +12,10 @@ profile dconf-editor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/{,*} r,
  /usr/share/X11/xkb/{,**} r,
  # When GSETTINGS_BACKEND=keyfile
  owner @{user_config_dirs}/glib-2.0/ rw,
  owner @{user_config_dirs}/glib-2.0/settings/ rw,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -35,7 +35,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=:*, label=gnome-shell),
-  @{exec_path} mr,
+  @{exec_path} mrix,
  @{bin}/pactl                   rix,
  @{bin}/pipewire-media-session  rPx,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -85,6 +85,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  @{run}/lightdm/{,**} rw,
        /tmp/ r,
        /tmp/server-[0-9].xkm rw,
  owner /tmp/.tX[0-9]-lock rwk,
  owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock,
  owner /tmp/server-* rwk,
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -36,10 +36,6 @@ profile evolution-alarm-notify @{exec_path} {
  /usr/share/evolution-data-server/{,**} r,
  /usr/share/{,zoneinfo-}icu/{,**} r,
  # freedesktop.org-strict
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/*ubuntu/applications/ r,
  /etc/timezone r,
  include if exists <local/evolution-alarm-notify>
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -15,33 +15,21 @@ profile gnome-control-center-print-renderer @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/vulkan>
  include <abstractions/wayland>
  @{exec_path} mr,
  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icons/{,**} r,
  /usr/share/libdrm/*.ids r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/{,**} r,
  /usr/share/X11/xkb/** r,
  /var/lib/flatpak/exports/share/icons/{,**} r,
  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/snapd/desktop/icons/{,**} r,
  owner @{user_share_dirs}/icons/{,**} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter/applications/*.desktop r,
  /usr/share/gvfs/remote-volume-monitors/{,*} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/ladspa/rdf/{,**} r,
  /usr/share/osinfo/{,**} r,
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -24,6 +24,7 @@ profile gvfsd-dav @{exec_path} {
  network netlink raw,
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mime/mime.cache r,
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -13,6 +13,8 @@ profile gvfsd-network @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
       interface=org.gtk.vfs.Spawner
       member=Spawned
@ -38,9 +40,6 @@ profile gvfsd-network @{exec_path} {
       member=GetConnection
       peer=(name=:*, label=gnome-control-center),
  dbus bind bus=session
       name=org.gtk.vfs.mountpoint_[0-9]*,
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -11,6 +11,7 @@ include <tunables/global>
 profile networkctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.network1>
  capability net_admin,
  capability sys_module,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -72,6 +72,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  / r,
  /boot/{,**} r,
  /efi/{,**} r,
  /swap/swapfile r,
  /swapfile r,
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@ -14,13 +14,11 @@ profile check-new-release-gtk @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/wayland>
  network inet dgram,
  network inet6 dgram,
@ -35,12 +33,8 @@ profile check-new-release-gtk @{exec_path} {
  @{bin}/lsb_release  rPx -> lsb_release,
  /usr/share/distro-info/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icons/{,**} r,
  /usr/share/themes/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
  /usr/share/update-manager/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /etc/update-manager/{,**} r,
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -59,6 +59,7 @@ profile cockpit-bridge @{exec_path} {
  @{sys}/class/hwmon/ r,
  @{sys}/devices/**/hwmon@{int}/ r,
  @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
  @{sys}/fs/cgroup/ r,
  @{sys}/fs/cgroup/**/ r,
  @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
  @{sys}/fs/cgroup/**/memory* r,
--- a/apparmor.d/groups/virt/cockpit-pcp
+++ b/apparmor.d/groups/virt/cockpit-pcp
@ -27,16 +27,17 @@ profile cockpit-pcp @{exec_path} {
  /var/lib/pcp/{,**} rw,
  /var/log/pcp/pmlogger/ r,
  /var/log/pcp/pmlogger/** r,
  @{sys}/fs/cgroup/{,**/} r,
  @{sys}/fs/cgroup/**/{memory,cpu}* r,
  @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
  @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
        @{PROC}/@{pid}/net/dev r,
        @{PROC}/diskstats r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/@{pid}/net/dev r,
  include if exists <local/cockpit-pcp>
 }
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -32,9 +32,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,
-  mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
+  mount /var/lib/docker/overlay2/**/,
  mount options=(rw, bind) -> /run/docker/netns/*,
  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
  mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
  mount options=(rw, rslave) -> /,
--- a/apparmor.d/profiles-a-f/amixer
+++ b/apparmor.d/profiles-a-f/amixer
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -15,9 +16,11 @@ profile amixer @{exec_path} {
  @{exec_path} mr,
  /usr/share/pipewire/client.conf r,
  /usr/share/pipewire/client-rt.conf r,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  /etc/pipewire/client-rt.conf.d/{,*} r,
  /var/lib/dbus/machine-id r,
  owner @{HOME}/.Xauthority r,
@ -25,7 +28,6 @@ profile amixer @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  # file_inherit
  owner /dev/tty@{int} rw,
  include if exists <local/amixer>
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@ -1,32 +1,31 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2009-2012 Steve Kostecke <steve@debian.org>;
-#               2011-2014 Jérémy Bobbio <lunar@debian.org>;
+# Copyright (C) 2011-2014 Jérémy Bobbio <lunar@debian.org>;
-#               2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
+# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-3.0-only
 # Version of program profiled: 1.9.14
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/haveged
 profile haveged @{exec_path} {
  include <abstractions/base>
  # Required for ioctl RNDADDENTROPY
  capability sys_admin,
  owner @{PROC}/@{pid}/status r,
  @{exec_path} mr,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  /dev/random w,
  @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
  @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/random/poolsize r,
        @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  owner @{PROC}/@{pid}/status r,
  /dev/random w,
  include if exists <local/haveged>
 }
--- a/apparmor.d/profiles-g-l/id
+++ b/apparmor.d/profiles-g-l/id
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
--- a/apparmor.d/profiles-g-l/ifconfig
+++ b/apparmor.d/profiles-g-l/ifconfig
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -12,23 +13,20 @@ profile ifconfig @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  # To be able to manage network interfaces.
  capability net_admin,
-
+  capability sys_module,
  # Needed?
  audit deny capability sys_module,
  network inet dgram,
  network inet6 dgram,
  @{exec_path} mr,
-  @{PROC}/net/dev r,
+  /etc/networks r,
-  @{PROC}/net/if_inet6 r,
+
  @{PROC}/@{pid}/net/dev r,
  @{PROC}/@{pid}/net/if_inet6 r,
-
+  @{PROC}/net/dev r,
-  /etc/networks r,
+  @{PROC}/net/if_inet6 r,
  include if exists <local/ifconfig>
 }
--- a/apparmor.d/profiles-g-l/initd-kmod
+++ b/apparmor.d/profiles-g-l/initd-kmod
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -27,7 +28,6 @@ profile initd-kmod @{exec_path} {
  /etc/modules-load.d/*.conf r,
  /etc/modules r,
  profile run-parts {
    include <abstractions/base>
@ -35,6 +35,7 @@ profile initd-kmod @{exec_path} {
    /etc/modules-load.d/ r,
    include if exists <local/initd-kmod_run-parts>
  }
  profile systemctl {
@ -54,6 +55,7 @@ profile initd-kmod @{exec_path} {
    owner @{run}/systemd/ask-password/ rw,
    owner @{run}/systemd/ask-password-block/* rw,
    include if exists <local/initd-kmod_systemctl>
  }
  include if exists <local/initd-kmod>
--- a/apparmor.d/profiles-g-l/jitterentropy-rngd
+++ b/apparmor.d/profiles-g-l/jitterentropy-rngd
@ -15,7 +15,10 @@ profile jitterentropy-rngd @{exec_path} {
  @{exec_path} mr,
  @{PROC}/sys/kernel/random/entropy_avail r,
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold r,
  /dev/random w,
  include if exists <local/jitterentropy-rngd>
 }
--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@ -27,6 +27,7 @@ profile keepassxc-proxy @{exec_path} {
  owner @{run}/user/@{pid}/app/ w,
  owner @{run}/user/@{pid}/org.keepassxc.KeePassXC.BrowserServer rw,
  owner @{run}/user/@{pid}/org.keepassxc.KeePassXC/ rw,
  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/ rw,
  # file_inherit
  deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -46,8 +46,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
  @{bin}/mysqladmin                        rPUx,
  @{bin}/systemd-tty-ask-password-agent    rPx,
  @{lib}/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,
-  /etc/init.d/nginx                             rPUx,
+  /etc/init.d/nginx                        rPUx,
-  @{bin}/squid                         rPUx,
+  @{bin}/squid                             rPUx,
  @{bin}/pgrep rCx -> pgrep,
--- a/apparmor.d/profiles-m-r/mate-notification-daemon
+++ b/apparmor.d/profiles-m-r/mate-notification-daemon
@ -15,8 +15,6 @@ profile mate-notification-daemon @{exec_path} {
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  owner @{HOME}/.Xauthority r,
  include if exists <local/mate-notification-daemon>
--- a/apparmor.d/profiles-m-r/nvidia-settings
+++ b/apparmor.d/profiles-m-r/nvidia-settings
@ -11,15 +11,12 @@ profile nvidia-settings @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/opencl-nvidia>
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icons/{,**} r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  include if exists <local/nvidia-settings>
 }
--- a/apparmor.d/profiles-m-r/polipo
+++ b/apparmor.d/profiles-m-r/polipo
@ -1,28 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/polipo
 profile polipo @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/polipo/* r,
  owner /var/log/polipo/ r,
  owner /var/log/polipo/polipo.log w,
  # Cache dir
  owner /var/cache/polipo/{,*} rw,
  owner @{HOME}/.polipo-cache/{,*} rw,
  # Nameservice
  @{etc_rw}/resolv.conf r,
  include if exists <local/polipo>
 }
--- a/apparmor.d/profiles-s-z/sulogin
+++ b/apparmor.d/profiles-s-z/sulogin
@ -15,14 +15,16 @@ profile sulogin @{exec_path} {
  @{exec_path} mr,
-  @{bin}/{,ba,da}sh  rux,
+  # The shell is not confined on purpose.
  @{bin}/{,b,d,rb}ash         rUx,
  @{bin}/{c,k,tc,z}sh         rUx,
  /etc/shadow r,
  @{PROC}/consoles r,
  /dev/ r,
  /dev/tty@{int} rw,
  @{PROC}/consoles r,
  include if exists <local/sulogin>
 }
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -21,7 +21,7 @@ profile syncthing @{exec_path} {
  @{exec_path} mrix,
-  @{bin}/xdg-open  rCx -> open,
+  @{bin}/xdg-open  rPx -> child-open,
  @{bin}/ip        rix,
  /usr/share/mime/{,*} r,
@ -41,27 +41,5 @@ profile syncthing @{exec_path} {
  @{PROC}/sys/net/core/somaxconn r,
  @{PROC}/@{pids}/net/route r,
  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>
    @{bin}/xdg-open mr,
    @{bin}/{,ba,da}sh      rix,
    @{bin}/{m,g,}awk       rix,
    @{bin}/readlink        rix,
    @{bin}/basename        rix,
    owner @{HOME}/ r,
    owner @{run}/user/@{uid}/ r,
    # Allowed apps to open
    @{bin}/firefox          rPx,
    @{lib}/firefox/firefox  rPx,
    # file_inherit
    owner @{HOME}/.xsession-errors w,
  }
  include if exists <local/syncthing>
 }
--- a/apparmor.d/profiles-s-z/w
+++ b/apparmor.d/profiles-s-z/w
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -23,12 +23,15 @@ profile w @{exec_path} {
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{run}/systemd/sessions/ r,
  @{run}/systemd/sessions/@{int} r,
  @{PROC}/ r,
  @{PROC}/uptime r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/loadavg r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/loadavg r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/uptime r,
  include if exists <local/w>
 }