diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index d24a569f..e7d18064 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -57,6 +57,7 @@ profile pacman @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/chgrp rix, /{usr/,}bin/chmod rix, + /{usr/,}bin/cp rix, /{usr/,}bin/dot rix, /{usr/,}bin/env rix, /{usr/,}bin/filecap rix, @@ -72,7 +73,7 @@ profile pacman @{exec_path} { /{usr/,}bin/ln rix, /{usr/,}bin/perl rix, /{usr/,}bin/pkill rix, - /{usr/,}bin/cp rix, + /{usr/,}bin/pwd rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/setcap rix, @@ -88,6 +89,7 @@ profile pacman @{exec_path} { /{usr/,}bin/dconf rPx, /{usr/,}bin/fc-cache{,-32} rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx, + /{usr/,}bin/gio-querymodules rPx, /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/groupadd rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, @@ -107,7 +109,10 @@ profile pacman @{exec_path} { /{usr/,}bin/update-mime-database rPx, /{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, + /usr/share/code-features/patch.sh rPx, /usr/share/libalpm/scripts/* rPUx, + /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, # Install/update packages / r, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code new file mode 100644 index 00000000..d3aa3c12 --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/code-features/patch.sh +profile pacman-hook-code @{exec_path} { + include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/{,ba}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/grep rix, + + /{usr/,}lib/code/sed?????? rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index e68e7c5b..b01827a0 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -19,8 +19,9 @@ profile systemd-fsck @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/fsck rPx, /{usr/,}{s,}bin/e2fsck rPx, + /{usr/,}{s,}bin/fsck rPx, + /{usr/,}{s,}bin/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4815a1ba..afc25eba 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -68,8 +68,6 @@ profile software-properties-gtk @{exec_path} { /var/lib/snapd/desktop/icons/ r, /var/lib/ubuntu-advantage/status.json r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner /tmp/[a-z0-9]* rw, owner /tmp/tmp*/{,apt.conf} rw, diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 0526f1fe..cb85f595 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -25,7 +25,7 @@ profile aa-status @{exec_path} { @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pid}/mounts r, - + /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 5e92177d..7489aec1 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -25,6 +25,8 @@ profile htop @{exec_path} { @{exec_path} mr, + /{usr/,}bin/lsof rix, + /usr/share/terminfo/x/xterm-256color r, /etc/sensors.d/ r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 0cae0773..5bf184a4 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -9,17 +9,17 @@ include @{exec_path} = /{usr/,}bin/labwc profile labwc @{exec_path} flags=(attach_disconnected) { include - include - include include - include - include - include - include + include include include + include + include + include include - include + include + include + include network netlink raw, @@ -30,16 +30,14 @@ profile labwc @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/* rPUx, @{libexec}/* rPUx, - owner @{user_config_dirs}/labwc/ r, - owner @{user_config_dirs}/labwc/* r, - /usr/share/libinput/ r, /usr/share/libinput/*.quirks r, - /usr/share/themes/**/themerc r, - /usr/share/X11/xkb/** r, + owner @{user_config_dirs}/labwc/ r, + owner @{user_config_dirs}/labwc/* r, + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, @{sys}/class/drm/ r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index df73736b..24cb4ddc 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -2,6 +2,8 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: Rethink this profile. Should not be called by another profile. + abi , include diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 451d7d44..86980440 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -13,10 +13,9 @@ profile uname @{exec_path} { @{exec_path} mr, - owner /tmp/mktexlsr.* rw, - # file_inherit owner @{HOME}/.xsession-errors w, + owner /tmp/mktexlsr.* rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 751497b1..5fc6b51c 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,21 +13,13 @@ profile userdel @{exec_path} flags=(attach_disconnected) { include include - # The userdel command is issued as root and its task is to delete regular user accounts. It - # optionally can remove user files (via --remove). Because of that, the userdel command needs the - # following CAPs to be able to do so. - capability dac_read_search, - capability dac_override, - - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir). capability chown, + capability dac_override, + capability dac_read_search, capability fsetid, - - # To prevent removing a user when it's used by some process. capability sys_ptrace, + ptrace (read), network netlink raw, @@ -35,9 +28,6 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /etc/login.defs r, - @{PROC}/ r, - @{PROC}/@{pids}/task/ r, - /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, @@ -60,5 +50,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /var/lib/ r, /var/lib/*/{,**} rw, + @{PROC}/ r, + @{PROC}/@{pids}/task/ r, + include if exists }