feat(profiles): general update.

2024-11-14 23:43:56 +01:00 · 2022-11-03 21:40:01 +00:00 · 2022-11-03 21:40:01 +00:00 · a90cdbe879
commit a90cdbe879
parent fabddee9d6
23 changed files with 97 additions and 35 deletions
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -4,15 +4,6 @@
  abi <abi/3.0>,
  ##include <abstractions/p11-kit>
  ##include <abstractions/X>
  # TODO: adjust when support finer-grained netlink rules
  #network netlink raw,
  #/etc/udev/udev.conf r,
  #/etc/wildmidi/wildmidi.cfg r,
  /etc/openni2/OpenNI.ini r,
      /tmp/ r,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -14,11 +14,14 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/video>
  capability sys_ptrace,
  ptrace (read),
  network netlink raw,
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixProcessID
@ -41,7 +44,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  /{usr/,}bin/pactl                   rPx,
+  /{usr/,}bin/pactl                   rix,
  /{usr/,}bin/pipewire-media-session  rPx,
  /usr/share/pipewire/pipewire*.conf r,
@ -51,16 +54,23 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  /etc/pipewire/pipewire.conf r,
  /etc/pipewire/pipewire.conf.d/{,*} r,
  /var/lib/gdm/.config/pulse/cookie rk,
  / r,
  /.flatpak-info r,
  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
-  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{run}/udev/data/c50[0-9]:[0-9]* r,
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
-  @{sys}/devices/virtual/dmi/id/board_vendor r,
+
  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
-  /dev/video[0-9]* rw,
+  /dev/media[0-9]* rw,
  include if exists <local/pipewire>
 }
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
  /usr/share/*/*.desktop r,
-  /var/lib/flatpak/{app/**/,}export/share/applications/{,**/} r,
+  /var/lib/flatpak/{app/**/,}export{s,}/share/applications/{,**/} r,
-  /var/lib/flatpak/{app/**/,}export/share/applications/**.desktop r,
+  /var/lib/flatpak/{app/**/,}export{s,}/share/applications/**.desktop r,
-  /var/lib/flatpak/{app/**/,}export/share/applications/.mimeinfo.cache.* rw,
+  /var/lib/flatpak/{app/**/,}export{s,}/share/applications/.mimeinfo.cache.* rw,
-  /var/lib/flatpak/{app/**/,}export/share/applications/mimeinfo.cache w,
+  /var/lib/flatpak/{app/**/,}export{s,}/share/applications/mimeinfo.cache w,
  /var/lib/snapd/desktop/applications/{,**/} r,
  /var/lib/snapd/desktop/applications/**.desktop r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  @{run}/faillock/[a-zA-z0-9]* rwk,
  @{run}/gdm{3,}/custom.conf r,
  @{run}/motd.d/{,*} r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@ -14,10 +14,13 @@ profile gnome-extension-manager @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/vulkan>
  network inet dgram,
  network inet6 dgram,
@ -29,9 +32,16 @@ profile gnome-extension-manager @{exec_path} {
  /{usr/,}bin/gjs-console rix,
  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  # Silencer
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  include if exists <local/gnome-extension-manager>
 }
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -11,15 +11,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
@ -29,6 +30,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/video>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
@ -511,13 +513,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /etc/xdg/menus/gnome-applications.menu r,
  /var/lib/gdm{3,}/.cache/ w,
  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
  /var/lib/gdm{3,}/.cache/libgweather/ r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm{3,}/.cache/libgweather/ r,
  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
@ -527,6 +531,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
  /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /var/lib/AccountsService/icons/* r,
@ -553,6 +559,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/{,*} rw,
  owner @{user_share_dirs}/sounds/__custom/index.theme r,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
@ -638,6 +645,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
  /dev/input/event[0-9]* rw,
  /dev/media[0-9]* rw,
  /dev/tty[0-9]* rw,
  include if exists <local/gnome-shell>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -67,8 +67,9 @@ profile gnome-software @{exec_path} {
  /var/lib/PackageKit/prepared-update r,
  owner @{HOME}/.var/app/{,**/} r,
  owner @{user_cache_dirs}/gnome-software/{,**} rw,
  owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
  owner @{user_cache_dirs}/gnome-software/{,**} rw,
  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/flatpak/repo/{,**} rw,
  /var/tmp/flatpak-cache-*/ rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -39,6 +39,8 @@ profile gnome-terminal-server @{exec_path} {
  /etc/shells r,
  owner @{user_config_dirs}/*xdg-terminals.list* rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -16,6 +16,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/trash>
  include <abstractions/vulkan>
  dbus send bus=system path=/org/freedesktop/hostname[0-9]
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -6,7 +6,8 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
+@{exec_path} = /{usr/,}bin/mullvad-daemon
@{exec_path} += "/opt/Mullvad VPN/resources/mullvad-daemon"
 profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -113,6 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{run}/systemd/users/@{uid} rw,
  @{sys}/class/drm/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/** r,
  @{sys}/devices/**/brightness rw,
  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -18,11 +18,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_chroot,
-  capability kill,
+  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
@ -42,6 +43,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
  ptrace (read) peer=docker-*,
  ptrace (read) peer=unconfined,
  signal (send) set=kill peer=docker-*,
@ -62,7 +64,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  # TODO: should be in a sub profile started with pivot_root, not supported yet.
  /{,**} rw,
  deny /boot/{,**} rw,
  deny /dev/{,**} rw,
  deny /media/{,**} rw,
  deny /mnt/{,**} rw,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -122,7 +122,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/qemu-img               rUx, # TODO: Integration with virt-aa-helper
  /{usr/,}lib/libvirt/virt-aa-helper rPx,
-  /etc/libvirt/hooks/**    rmix,
+  /etc/libvirt/hooks/**    rPUx,
  /etc/xen/scripts/**      rmix,
  /var/lib/libvirt/virtd*  rix,
@ -175,6 +175,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c24[0-9]:[0-9]* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c51[0-9]:[0-9]* r,
  @{run}/udev/data/c90:[0-9]* r,
  @{run}/udev/data/n[0-9]* r,
  @{sys}/bus/[a-z]*/devices/ r,
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -7,12 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/nvtop
-profile nvtop @{exec_path} {
+profile nvtop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/vulkan>
  capability sys_ptrace,
@ -22,7 +23,23 @@ profile nvtop @{exec_path} {
  /usr/share/terminfo/x/xterm-256color r,
  @{run}/systemd/inhibit/*.ref r,
  @{run}/udev/data/+drm:* r,
  @{run}/udev/data/c226:[0-9]* r,
  @{run}/udev/data/c236:[0-9]* r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/devices/pci[0-9]*/**/enable r,
  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_cur_freq_mhz r,
  @{PROC}/ r,
  @{PROC}/@{pids}/ r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/fdinfo/ r,
  @{PROC}/@{pids}/fdinfo/[0-9]* r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -7,15 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/os-prober
-profile os-prober @{exec_path} {
+profile os-prober @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
-  @{exec_path} mr,
+  capability sys_admin,
  @{exec_path} mrix,
  /{usr/,}{s,}bin/blkid         rPx,
  /{usr/,}bin/{,ba,da}sh        rix,
  /{usr/,}bin/{e,f,}grep        rix,
  /{usr/,}bin/cut               rix,
  /{usr/,}bin/head              rix,
  /{usr/,}bin/kmod              rPx,
  /{usr/,}bin/logger            rix,
  /{usr/,}bin/lsblk             rPx,
  /{usr/,}bin/mktemp            rix,
@ -30,5 +35,8 @@ profile os-prober @{exec_path} {
  owner /tmp/os-prober.*/{,**} rw,
  @{sys}/block/ r,
  @{sys}/devices/pci[0-9]*/**/block/*/ r,
  include if exists <local/os-prober>
 }
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@ -20,6 +20,8 @@ profile pactl @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  /var/lib/gdm/.config/pulse/cookie rk,
  owner @{HOME}/.Xauthority r,
  owner @{user_config_dirs}/pulse/ rw,
--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@ -21,6 +21,7 @@ profile snap-update-ns @{exec_path} {
  @{run}/snapd/ns/{,**} rw,
  @{sys}/fs/cgroup/{,**/} r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -110,6 +110,7 @@ profile snapd @{exec_path} {
  /tmp/syscheck-squashfs-[0-9]* rw,
  /tmp/read-file[0-9]*/{,**} rw,
  / r,
  /home/ r,
  @{HOME}/ r,
  @{HOME}/snap/{,**} rw,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -88,7 +88,7 @@ profile steam @{exec_path} {
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{amd64,i386}/usr/bin/* rix,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so*  mr,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix,
@ -98,6 +98,7 @@ profile steam @{exec_path} {
  /usr/share/terminfo/x/xterm-256color r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/{,**} r,
  /usr/share/zenity/* r,
  /etc/lsb-release r,
  /etc/udev/udev.conf r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -63,6 +63,7 @@ profile sudo @{exec_path} {
  /etc/sudoers.d/{,*} r,
        /var/log/sudo.log wk,
        /var/lib/sudo/lectured/ r,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@ -13,6 +13,8 @@ profile which @{exec_path} flags=(complain) {
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}{local/,}{s,}bin/ r,
  /{usr/,}lib/go-*/bin/ r,
  /{usr/,}{local/,}games/ r,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -12,6 +12,7 @@ profile wireplumber @{exec_path} {
  include <abstractions/audio>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  include <abstractions/video>
  network bluetooth raw,
  network bluetooth seqpacket,
@ -34,22 +35,22 @@ profile wireplumber @{exec_path} {
  @{run}/systemd/users/@{uid} r,
  @{run}/udev/data/+sound:card[0-9]* r, # For sound
  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/sound/ r,
  @{sys}/class/video4linux/ r,
  @{sys}/devices/**/sound/**/pcm_class r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
  @{sys}/devices/system/cpu/possible r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r,
+  @{sys}/devices/**/device:*/**/path r,
  /dev/media[0-9]* rw,
  /dev/snd/ r,
  /dev/video[0-9]* rw,
  include if exists <local/wireplumber>
 }
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -46,7 +46,7 @@ cups-browsed complain
 cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
 dkms attach_disconnected,complain
-docker attach_disconnected,complain
+dockerd attach_disconnected,complain
 downloadhelper complain
 e2fsck complain
 etckeeper complain