feat(profiles): general update.

2024-11-14 23:43:56 +01:00 · 2023-02-05 00:03:20 +00:00 · 2023-02-05 00:03:20 +00:00 · a402200dbe
commit a402200dbe
parent 53d1b7a3fd
11 changed files with 31 additions and 32 deletions
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -17,34 +17,26 @@ profile ssh-agent @{exec_path} {

  @{exec_path} mr,

-  owner /tmp/ssh-*/ rw,
-  owner /tmp/ssh-*/agent.* rw,
-
-  # When SSH agent is not used with GPG
+  /{usr/,}bin/enlightenment_start  rPUx,
+  /{usr/,}bin/gpg-agent             rPx,
+  /{usr/,}bin/kwalletaskpass       rPUx,
  /{usr/,}bin/openbox-session       rPx,
  /{usr/,}bin/startkde             rPUx,
  /{usr/,}bin/sway                 rPUx,
-  /{usr/,}bin/enlightenment_start  rPUx,

-  # SSH keys
  owner @{HOME}/@{XDG_SSH_DIR}/ rw,
  owner @{HOME}/@{XDG_SSH_DIR}/* r,
+  owner @{HOME}/.xsession-errors w,
  owner @{user_projects_dirs}/**/ssh/{,*} r,

-  # When started via systemd
+  owner /tmp/ssh-*/ rw,
+  owner /tmp/ssh-*/agent.* rw,
+
  @{run}/user/@{uid}/openssh_agent rw,
-
-  # askpass apps
-  #/{usr/,}lib/ssh/x11-ssh-askpass rPUx,
-  #/{usr/,}bin/ksshaskpass         rPUx,
-  /{usr/,}bin/kwalletaskpass       rPUx,
-
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
-
  @{run}/user/@{uid}/keyring/.ssh rw,
  @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w,

+  owner /dev/tty[0-9]* rw,
+
  include if exists <local/ssh-agent>
 }
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -84,28 +84,28 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,

-  owner @{run}/sshd{,.init}.pid wl,
+        @{run}/faillock/[a-zA-z0-9]* rwk,
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/notify w,
        @{run}/systemd/sessions/*.ref rw,
-        @{run}/faillock/[a-zA-z0-9]* rwk,
+  owner @{run}/sshd{,.init}.pid wl,

  @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
  @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw,

+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/ngroups_max r,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_adj rw,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/uid_map r,
-        @{PROC}/@{pids}/fd/ r,
-        @{PROC}/1/environ r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/ngroups_max r,

  /dev/ptmx rw,

--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -21,12 +21,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  @{run}/binfmt.d/{,*.conf} r,
  /usr/lib/binfmt.d/{,*.conf} r,

-  owner @{PROC}/@{pid}/stat r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
-        @{PROC}/sys/fs/binfmt_misc/status w,
        @{PROC}/sys/fs/binfmt_misc/register w,
+        @{PROC}/sys/fs/binfmt_misc/status w,
        @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/stat r,

  deny /apparmor/.null rw,

--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -50,10 +50,10 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,

-  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/netif/links/* r,
        @{run}/systemd/notify rw,
        @{run}/systemd/resolve/{,**} rw,
+  owner @{run}/systemd/journal/socket w,

  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -30,7 +30,7 @@ profile apport-gtk @{exec_path} {

  @{exec_path} mr,

-  @{libexec}/colord-sane            rPx,
+  @{libexec}/{,colord/}colord-sane  rPx,
  /{usr/,}{s,}bin/killall5          rix,
  /{usr/,}bin/{,ba,da}sh            rix,
  /{usr/,}bin/{f,}grep              rix,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -78,6 +78,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  signal (send) peer=dnsmasq,
  signal (send) set=(kill, term) peer=virtiofsd,
  signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,
+  signal (send) set=(term) peer=swtpm,

  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}),
  unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -210,6 +210,7 @@ profile steam @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

+  /dev/hidraw[0-9]* rw,
  /dev/input/ r,
  /dev/input/event[0-9]* r,
  /dev/tty rw,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -94,10 +94,12 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {

  @{user_share_dirs}/Steam/bin/ r,
  @{user_share_dirs}/Steam/bin/* mr,
+  @{user_share_dirs}/Steam/d3ddriverquery64.dxvk-cache rw,
  @{user_share_dirs}/Steam/legacycompat/ r,
  @{user_share_dirs}/Steam/legacycompat/** mr,
  @{user_share_dirs}/Steam/linux{32,64}/ r,
  @{user_share_dirs}/Steam/linux{32,64}/**.so* mr,
+  @{user_share_dirs}/Steam/standalone_installscript_progress_[0-9]*.vdf rw,
  @{user_share_dirs}/Steam/steamapps/common/*/* mr,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/ r,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/*  mrix,
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@ -36,7 +36,7 @@ profile steam-gameoverlayui @{exec_path} {
  owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
  owner @{user_share_dirs}/Steam/public/* rk,
  owner @{user_share_dirs}/Steam/resource/{,**} rk,
-  owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rw,
+  owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rwl,
  owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -64,18 +64,19 @@ profile sudo @{exec_path} {

        /var/db/sudo/lectured/ r,
        /var/lib/sudo/lectured/ r,
+        /var/lib/sudo/ts/ rw,
+        /var/lib/sudo/ts/* rwk,
        /var/log/sudo.log wk,
  owner /var/lib/sudo/lectured/* rw,

  owner @{HOME}/.sudo_as_admin_successful rw,
  owner @{HOME}/.xsession-errors w,

-  # For timestampdir
+        @{run}/faillock/{,*} rwk,
+        @{run}/resolvconf/resolv.conf r,
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
  owner @{run}/sudo/ts/* rwk,
-        @{run}/faillock/{,*} rwk,
-        @{run}/resolvconf/resolv.conf r,

  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/fd/ r,
@ -83,9 +84,9 @@ profile sudo @{exec_path} {
  @{PROC}/1/limits r,
  @{PROC}/sys/kernel/seccomp/actions_avail r,

-  owner /dev/tty[0-9]* rw,
        /dev/ r,    # interactive login
        /dev/ptmx rw,
+  owner /dev/tty[0-9]* rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/profiles-s-z/swtpm
+++ b/apparmor.d/profiles-s-z/swtpm
@ -11,6 +11,8 @@ profile swtpm @{exec_path} {
  include <abstractions/base>
  include <abstractions/openssl>

+  signal (receive) set=(term) peer=libvirtd,
+
  @{exec_path} mr,

  /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk,