From d8da3147c9278ca8f398aea42c526fd84fd2f9b5 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sun, 27 Oct 2024 03:35:19 +0300 Subject: [PATCH 1/9] /boot/EFI --- apparmor.d/groups/pacman/mkinitcpio | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index a9902e54..dcf5b10f 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -83,9 +83,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + /{boot,efi}/ r, + /{boot,efi}/EFI/{,**} rw, + /{boot,efi}/initramfs-*.img* rw, + /{boot,efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, From ce4a17870655064374fa2b9c4b7dd6c2ad081e8e Mon Sep 17 00:00:00 2001 From: odomingao Date: Sat, 26 Oct 2024 10:53:20 -0300 Subject: [PATCH 2/9] Update hyprland --- apparmor.d/groups/hyprland/hyprland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 3a25c0a5..68356741 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -25,7 +25,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/hyprland/{,*} r, + /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, owner @{user_cache_dirs}/hyprland/{,**} rw, From 0a8727e83704e230a47cad05226d080505a18e13 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Fri, 25 Oct 2024 10:51:36 +0800 Subject: [PATCH 3/9] Fix gnome-boxes couldn't found VM that previously created --- apparmor.d/groups/gnome/gnome-boxes | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 0a5abe0a..41ebab65 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -58,6 +58,7 @@ profile gnome-boxes @{exec_path} { owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{run}/mount/utab r, From eef7e080f68047b9149fef31c61e07c1df9f9804 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Sun, 27 Oct 2024 23:38:08 +0800 Subject: [PATCH 4/9] Initial support for Xray and V2ray --- apparmor.d/profiles-s-z/v2ray | 32 ++++++++++++++++++++++++++++++++ apparmor.d/profiles-s-z/xray | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 apparmor.d/profiles-s-z/v2ray create mode 100644 apparmor.d/profiles-s-z/xray diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray new file mode 100644 index 00000000..fd36a9d7 --- /dev/null +++ b/apparmor.d/profiles-s-z/v2ray @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v2ray +profile v2ray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/v2ray/ r, + /etc/v2ray/**.json r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray new file mode 100644 index 00000000..c6f8135a --- /dev/null +++ b/apparmor.d/profiles-s-z/xray @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xray +profile xray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/xray/ r, + /etc/xray/**.json r, + /usr/share/xray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor \ No newline at end of file From 664b23677ee0b21616c001c59a3f224fcd80da7d Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Sun, 27 Oct 2024 23:45:43 +0800 Subject: [PATCH 5/9] Fix build error --- apparmor.d/profiles-s-z/v2ray | 2 +- apparmor.d/profiles-s-z/xray | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray index fd36a9d7..b62cc59d 100644 --- a/apparmor.d/profiles-s-z/v2ray +++ b/apparmor.d/profiles-s-z/v2ray @@ -29,4 +29,4 @@ profile v2ray @{exec_path} flags=(attach_disconnected) { include if exists } -# vim:syntax=apparmor \ No newline at end of file +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index c6f8135a..39f32179 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -29,4 +29,4 @@ profile xray @{exec_path} flags=(attach_disconnected) { include if exists } -# vim:syntax=apparmor \ No newline at end of file +# vim:syntax=apparmor From be759e7c7c74da1a2daead1a23cdd39d7a69d6db Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 28 Oct 2024 00:42:21 +0800 Subject: [PATCH 6/9] Apply suggestion --- apparmor.d/profiles-s-z/v2ray | 3 +-- apparmor.d/profiles-s-z/xray | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray index b62cc59d..5a923835 100644 --- a/apparmor.d/profiles-s-z/v2ray +++ b/apparmor.d/profiles-s-z/v2ray @@ -20,8 +20,7 @@ profile v2ray @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/v2ray/ r, - /etc/v2ray/**.json r, + /etc/v2ray/{,*} r, /usr/share/v2ray/**.dat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 39f32179..7e86ada2 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -20,8 +20,7 @@ profile xray @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/xray/ r, - /etc/xray/**.json r, + /etc/xray/{,*} r, /usr/share/xray/**.dat r, @{PROC}/sys/net/core/somaxconn r, From 6f586f1f46376f15c806e9d3f15066d1c97265d5 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 28 Oct 2024 15:39:41 +0100 Subject: [PATCH 7/9] Add lxqt-session, enable start in sddm (#580) --- .../groups/kde/kscreen_backend_launcher | 1 + apparmor.d/groups/kde/sddm | 2 + apparmor.d/groups/lxqt/lxqt-session | 98 +++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-session diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 5e09b0cb..d4b547c7 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 5e024adf..d8adff56 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(kill, term) peer=xsetroot, @@ -94,6 +95,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/startlxqt rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session new file mode 100644 index 00000000..3a4a6cd6 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -0,0 +1,98 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-session +profile lxqt-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network netlink raw, + + signal (send), + signal (receive) set=(kill, term) peer=startlxqt, + signal (receive) set=(kill, term) peer=sddm, + + ptrace (read), + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/sed rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/system-config-printer-applet rPx, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, + + @{bin}/pavucontrol rPx, + @{lib}/geoclue-2.0/demos/agent rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/nm-applet rPx, + @{bin}/openbox rix, + @{bin}/dconf-editor rPx, + @{bin}/setxkbmap rix, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-user-dirs-update rPx, + + /usr/share/ r, + /usr/share/mime/ r, + /usr/share/cursors/ r, + /usr/share/backintime/common/* r, + /usr/share/desktop-directories/* r, + /usr/share/system-config-printer/* r, + + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/lxqt-* r, + /etc/xdg/openbox/* r, + /etc/udev/udev.conf r, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_cache_dirs}/openbox/ rw, + owner @{user_cache_dirs}/openbox/sessions/ rw, + owner @{user_cache_dirs}/openbox/openbox.log rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/openbox/rc.xml r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + profile dbus { + include + include + + @{bin}/dbus-update-activation-environment mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From 1dc8714cb2efbd0f4272afd4da8b749f9fd1daeb Mon Sep 17 00:00:00 2001 From: valoq Date: Mon, 28 Oct 2024 15:41:41 +0100 Subject: [PATCH 8/9] various improvements (#590) --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/audio-client | 3 +++ apparmor.d/groups/gpg/scdaemon | 1 + apparmor.d/profiles-m-r/mutt | 6 +++++- apparmor.d/profiles-m-r/ouch | 1 + apparmor.d/profiles-m-r/pinentry-curses | 2 ++ .../profiles-m-r/{pinentry-gtk-2 => pinentry-gtk} | 11 +++++++---- apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox | 4 ++++ apparmor.d/profiles-s-z/w3m | 2 +- 10 files changed, 26 insertions(+), 8 deletions(-) rename apparmor.d/profiles-m-r/{pinentry-gtk-2 => pinentry-gtk} (70%) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1d501eb9..3992fb7b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,7 +12,7 @@ @{sh_path} rix, @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mix, + @{bin}/vim{,.*} mrix, @{bin}/which{,.debianutils} ix, /usr/share/nvim/{,**} r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2a2f612b..c749bf25 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -92,7 +92,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ r, + /tmp/ rw, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index d847c732..166229a0 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -11,6 +11,7 @@ /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, + /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -60,6 +61,8 @@ /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, + /dev/snd/controlC@{int} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index e88f34d4..5d2cafd9 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -16,6 +16,7 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, + signal send set=usr2 peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index fb1e94c1..28006f47 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -62,6 +62,7 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file + owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -91,11 +92,14 @@ profile mutt @{exec_path} { @{bin}/w3m mrix, @{bin}/lynx mrix, - owner @{HOME}/.w3m/* rw, + owner @{HOME}/.w3m/{,**} rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, + owner /tmp/w3m-@{rand6} rw, + owner /tmp/w3m-@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index d0b75aae..ef3ea4be 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -15,6 +15,7 @@ profile ouch @{exec_path} { @{exec_path} mr, owner @{HOME}/.tmp@{rand6}/{,**} rw, + owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index a3ec65c4..c14b4102 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, + owner /dev/tty@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk similarity index 70% rename from apparmor.d/profiles-m-r/pinentry-gtk-2 rename to apparmor.d/profiles-m-r/pinentry-gtk index 49e9ac30..a0244956 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -7,9 +7,10 @@ abi , include -@{exec_path} = @{bin}/pinentry-gtk-2 -profile pinentry-gtk-2 @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk{,-2} +profile pinentry-gtk @{exec_path} { include + include include include include @@ -17,11 +18,13 @@ profile pinentry-gtk-2 @{exec_path} { @{exec_path} mr, - /usr/share/gtk-2.0/gtkrc r, + /usr/share/gtk-@{int}.@{int}/{,**} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - include if exists + owner /dev/tty@{int} r, + + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index b9efca35..51c625d5 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, + capability dac_override, @{exec_path} mr, @@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, + # Silencer + deny /dev/pts/@{int} rw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 1a0e3341..ade896ea 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -36,7 +36,7 @@ profile w3m @{exec_path} { owner @{user_config_dirs}/w3m/{,**} rw, - owner @{tmp}/@{rand6}/{,**} rw, + owner @{tmp}/w3m-@{rand6}/{,**} rw, include if exists } From a37e11f686f27ce82abcd81f9c137eb6122028f5 Mon Sep 17 00:00:00 2001 From: beroal Date: Mon, 28 Oct 2024 16:59:54 +0200 Subject: [PATCH 9/9] Writing locale.conf (#593) --- apparmor.d/groups/systemd/systemd-localed | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 48318da8..32f02f0d 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,11 +24,12 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, - /etc/locale.conf r, + /etc/locale.conf rw, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ r, /etc/X11/xorg.conf.d/.#*.confd* rw,