From a5f71675eadd666e6a573d569bccedc21585d386 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Mar 2024 19:45:13 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apps/freetube | 95 +++++-------------- apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/gnome/gnome-initial-setup | 6 ++ apparmor.d/groups/gnome/gnome-recipes | 2 + apparmor.d/groups/gnome/session-migration | 3 + apparmor.d/groups/gvfs/gvfsd-http | 2 +- apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/ubuntu/apport-gtk | 7 +- apparmor.d/profiles-a-f/file-roller | 4 + apparmor.d/profiles-m-r/popcon-largest-unused | 34 ------- apparmor.d/profiles-m-r/popularity-contest | 35 +++---- apparmor.d/profiles-s-z/snapd | 1 - apparmor.d/profiles-s-z/x11-xsession | 2 +- 13 files changed, 58 insertions(+), 136 deletions(-) delete mode 100644 apparmor.d/profiles-m-r/popcon-largest-unused diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 67aab9c4..0ec71b8c 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -7,27 +7,22 @@ abi , include -@{FT_LIBDIR} = @{lib}/freetube -@{FT_LIBDIR} += @{lib}/freetube-vue -@{FT_LIBDIR} += /opt/FreeTube -@{FT_LIBDIR} += /opt/FreeTube-Vue +@{lib_dirs} = @{lib}/freetube @{lib}/freetube-vue +@{lib_dirs} += /opt/FreeTube /opt/FreeTube-Vue -@{exec_path} = @{FT_LIBDIR}/freetube{,-vue} +@{exec_path} = @{lib_dirs}/freetube{,-vue} profile freetube @{exec_path} { include + include + include include include - include - include - include + include include - include - include - include + include include - include include - include + include network inet dgram, network inet6 dgram, @@ -37,23 +32,30 @@ profile freetube @{exec_path} { @{exec_path} mrix, - @{FT_LIBDIR}/ r, - @{FT_LIBDIR}/** r, - @{FT_LIBDIR}/libffmpeg.so mr, - @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr, - @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr, - @{FT_LIBDIR}/chrome-sandbox rPx, + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, + @{lib_dirs}/{swiftshader/,}libEGL.so mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{open_path} rPx -> child-open, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, owner @{HOME}/ r, owner @{user_config_dirs}/FreeTube/ rw, owner @{user_config_dirs}/FreeTube/** rwk, + owner @{run}/user/@{uid}/ r, + # The /proc/ dir is needed to avoid the following error: # traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in # freetube[56499b8a8000+531e000] @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, - # @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, @@ -67,60 +69,7 @@ profile freetube @{exec_path} { deny @{PROC}/vmstat r, @{PROC}/sys/fs/inotify/max_user_watches r, - /etc/fstab r, - - owner @{user_share_dirs} r, - - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. - deny @{sys}/devices/@{pci}/irq r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - owner @{run}/user/@{uid}/ r, - - # no new privs - @{bin}/xdg-settings rPx, - - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/mpv rPx, - @{bin}/vlc rPx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/mpv rPx, - @{bin}/vlc rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 567d2c13..90731803 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -26,7 +26,7 @@ profile dbus-session flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm, signal (send) set=(term hup kill) peer=dbus-accessibility, signal (send) set=(term hup kill) peer=dconf-service, - signal (send) set=(term hup kill) peer=xdg-permission-store, + signal (send) set=(term hup kill) peer=xdg-*, dbus bus=session, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 5bafdc61..010f60cf 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -14,6 +14,7 @@ profile gnome-initial-setup @{exec_path} { include include include + include include include include @@ -51,6 +52,9 @@ profile gnome-initial-setup @{exec_path} { owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{user_cache_dirs}/ubuntu-report/ w, + owner @{user_cache_dirs}/ubuntu-report/pending w, + owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, @@ -59,6 +63,8 @@ profile gnome-initial-setup @{exec_path} { owner @{run}/user/@{uid}/avatar.png rw, + @{run}/snapd.socket rw, + @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index 55db2679..e800410d 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -15,6 +15,8 @@ profile gnome-recipes @{exec_path} { include include + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index df75bf64..a9a09890 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -12,6 +12,9 @@ profile session-migration @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + /usr/share/session-migration/scripts/*.sh rix, + /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index d01df539..2e84552f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -29,7 +29,7 @@ profile gvfsd-http @{exec_path} { interface=org.gtk.vfs.Mountable member=Mount peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/0 + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd), diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 9cb8e8e9..ad436e52 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -34,6 +34,7 @@ profile systemsettings @{exec_path} { /etc/machine-id r, /etc/xdg/menus/ r, /etc/xdg/ui/ui_standards.rc r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index ebaeb956..89a6cda0 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -100,12 +100,13 @@ profile apport-gtk @{exec_path} { @{bin}/iconv rix, @{bin}/* r, - /usr/share/gcc/python/**/__pycache__/{,**} rw, + /usr/share/gcc/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/themes/{,**} r, - /usr/share/gnome-shell/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-shell/{,**} r, + /usr/share/terminfo/** r, + /usr/share/themes/{,**} r, /etc/gdb/{,**} r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c90fe89..80eef854 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -40,5 +40,9 @@ profile file-roller @{exec_path} { @{open_path} rPx -> child-open, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/popcon-largest-unused b/apparmor.d/profiles-m-r/popcon-largest-unused deleted file mode 100644 index c6550fba..00000000 --- a/apparmor.d/profiles-m-r/popcon-largest-unused +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/popcon-largest-unused -profile popcon-largest-unused @{exec_path} { - include - include - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sort rix, - @{bin}/cut rix, - @{bin}/xargs rix, - - @{bin}/apt-cache rPx, - - /var/log/popularity-contest r, - - owner @{PROC}/@{pid}/fd/ r, - - # For shell pwd - /root/ r, - - include if exists -} diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 31462ce1..5035c872 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -13,14 +13,12 @@ profile popularity-contest @{exec_path} { include include - # For popularity-contest --su-nobody - capability setuid, - capability setgid, - - capability sys_ptrace, - ptrace (read), - capability dac_read_search, + capability setgid, + capability setuid, # For popularity-contest --su-nobody + capability sys_ptrace, + + ptrace (read), @{exec_path} r, @{bin}/perl r, @@ -32,31 +30,24 @@ profile popularity-contest @{exec_path} { # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. @{bin}/dpkg-query rpx, - # @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-divert rPx -> child-dpkg-divert, - # For shell pwd - /root/ r, - /etc/popularity-contest.conf r, - /etc/dpkg/origins/debian r, - /etc/shadow r, - /var/lib/dpkg/info/{,*.list} r, - - @{PROC}/ r, - - /var/log/ r, - /var/log/popularity-contest.new w, + /root/ r, # For shell pwd /var/lib/ r, - - # file_inherit - /tmp/#@{int} rw, + /var/lib/dpkg/info/{,*.list} r, + /var/log/ r, /var/log/popularity-contest.[0-9]* w, + /var/log/popularity-contest.new w, + + owner /tmp/#@{int} rw, + + @{PROC}/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index e747a45d..4d30cccd 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -146,7 +146,6 @@ profile snapd @{exec_path} { @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, - @{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r, # only:core @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index ea9d7aa5..d93d9c6e 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -56,7 +56,7 @@ profile x11-xsession @{exec_path} { @{bin}/sway rPUx, @{bin}/ssh-agent rPx, - @{bin}/sudo rPx, # only: whonix + @{bin}/sudo rPx, #aa:only whonix @{lib}/*/*.sh r, /etc/default/{,*} r,