From aac0a93080a52cc19602d046a5446239d12adda0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Oct 2021 15:01:43 +0100 Subject: [PATCH] Profiles update. --- apparmor.d/abstractions/totem | 2 +- apparmor.d/groups/apps/atom | 4 +- .../apps/usr.lib.libreoffice.program.senddoc | 4 +- .../usr.lib.libreoffice.program.soffice.bin | 2 +- apparmor.d/groups/browsers/brave | 4 +- apparmor.d/groups/browsers/chromium | 2 + apparmor.d/groups/browsers/chromium-chromium | 8 +-- apparmor.d/groups/browsers/firefox | 35 +++++----- .../groups/browsers/google-chrome-chrome | 4 +- apparmor.d/groups/browsers/opera | 8 +-- apparmor.d/groups/bus/dbus-daemon | 6 +- apparmor.d/groups/desktop/at-spi-bus-launcher | 8 +-- apparmor.d/groups/gnome/gnome-calendar | 1 + apparmor.d/groups/gnome/gnome-shell | 5 +- apparmor.d/groups/gnome/gnome-system-monitor | 5 +- apparmor.d/groups/gnome/nautilus | 6 ++ apparmor.d/groups/gvfs/gvfsd-metadata | 3 +- apparmor.d/groups/pacman/pacman | 5 +- .../groups/pacman/pacman-hook-fontconfig | 6 ++ apparmor.d/groups/systemd/systemd-sysctl | 9 ++- apparmor.d/groups/systemd/systemd-sysusers | 3 + apparmor.d/profiles-a-f/apparmor_parser | 4 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/font-manager | 2 +- apparmor.d/profiles-a-f/fuse-overlayfs | 4 +- apparmor.d/profiles-a-f/fwupd | 12 ++-- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-s-z/su | 27 +++----- apparmor.d/profiles-s-z/sudo | 69 +++++++------------ apparmor.d/profiles-s-z/update-mime-database | 3 + apparmor.d/profiles-s-z/xdg-dbus-proxy | 5 +- apparmor.d/profiles-s-z/xdg-desktop-portal | 7 +- .../profiles-s-z/xdg-desktop-portal-gtk | 8 +++ apparmor.d/profiles-s-z/xdg-mime | 5 +- 34 files changed, 136 insertions(+), 144 deletions(-) diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem index 7606a1cd..c14ff3d0 100644 --- a/apparmor.d/abstractions/totem +++ b/apparmor.d/abstractions/totem @@ -40,7 +40,7 @@ owner @{user_config_dirs}/totem/** rwk, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - owner @{user_share_dirs}/gvfs-metadata/** r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/totem/ rwk, owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 7bcfd87a..3ec84074 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -68,9 +68,9 @@ profile atom @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-settings rPx, - /{usr/,}bin/git rPUx, + /{usr/,}bin/git rPx, # Needed to sign commits /{usr/,}bin/gpg rCx -> gpg, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc b/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc index 04ba646f..8e931f34 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc @@ -27,8 +27,8 @@ profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain /usr/bin/basename rmix, /{usr/,}bin/grep rmix, /{usr/,}bin/uname rmix, - /usr/bin/xdg-open rPUx, - /usr/bin/xdg-email rPUx, + /usr/bin/xdg-open rPx, + /usr/bin/xdg-email rPx, /dev/null rw, /usr/lib/libreoffice/program/uri-encode rmpux, /usr/share/libreoffice/share/config/* r, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin index b6557b74..63721e65 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin @@ -169,7 +169,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp /usr/lib/libreoffice/program/soffice.bin mix, /usr/lib/libreoffice/program/xpdfimport px, /usr/lib/libreoffice/program/senddoc px, - /usr/bin/xdg-open rPUx, + /usr/bin/xdg-open rPx, /usr/share/java/**.jar r, /usr/share/hunspell/ r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index a98164bd..6a7cf816 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -73,8 +73,8 @@ profile brave @{exec_path} { #deny /{usr/,}bin/xdg-desktop-menu rx, /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/xdg-settings rPUx, - /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-settings rPx, + /{usr/,}bin/xdg-mime rPx, /usr/share/chromium/extensions/ r, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 84fd618b..f49ede7a 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -34,6 +34,8 @@ profile chromium @{exec_path} flags=(attach_disconnected) { # For chromium -g /{usr/,}bin/gdb rPUx, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner /tmp/chromiumargs.?????? rw, # For a temp profile diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 29355ad8..a3a1b4e6 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -60,11 +60,11 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/browserpass rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/xdg-settings rPUx, - /{usr/,}bin/xdg-desktop-menu rPUx, - /{usr/,}bin/xdg-icon-resource rPUx, + /{usr/,}bin/xdg-settings rPx, + /{usr/,}bin/xdg-desktop-menu rPx, + /{usr/,}bin/xdg-icon-resource rPx, # To remove the following error: # Error initializing NSS with a persistent database diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index c4221b3e..8e15f157 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -1,8 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Warning: Such a profile is limitted as it gives access to a lot of resources. + abi , include @@ -14,22 +16,22 @@ include @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} profile firefox @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include include + include include + include + include + include + include + include + include + include + include + include include include - include - include - include - include + include + include ##include ptrace peer=@{profile_name}, @@ -210,16 +212,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{user_share_dirs}/gvfs-metadata/root r, - owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, # Silencer + deny capability sys_ptrace, deny owner @{HOME}/.* r, profile open { @@ -252,6 +252,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/telegram-desktop rPx, /{usr/,}bin/spacefm rPx, /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/evince rPx, /usr/share/xfce4/exo/exo-compose-mail rPx, # file_inherit diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index 583bd8f8..cda308c4 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -66,8 +66,8 @@ profile google-chrome-chrome @{exec_path} { deny /{usr/,}bin/xdg-desktop-menu rx, deny /{usr/,}bin/xdg-icon-resource rx, - /{usr/,}bin/xdg-mime rPUx, - /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xdg-settings rPx, # To remove the following error: # Error initializing NSS with a persistent database diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 9cfdb113..07548eb1 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -56,11 +56,11 @@ profile opera @{exec_path} { @{OPERA_INSTALLDIR}/opera_autoupdate krix, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-mime rPUx, + /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/xdg-settings rPUx, - /{usr/,}bin/xdg-desktop-menu rPUx, - /{usr/,}bin/xdg-icon-resource rPUx, + /{usr/,}bin/xdg-settings rPx, + /{usr/,}bin/xdg-desktop-menu rPx, + /{usr/,}bin/xdg-icon-resource rPx, # To remove the following error: # Error initializing NSS with a persistent database diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 3cf4fae5..04c60bd4 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -17,9 +17,9 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_resource, - signal (receive) set=(term, kill), - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term, kill) peer=at-spi-bus-launcher, + signal (receive) set=(term hup kill) peer=gdm*, + signal (send) set=(term hup kill) peer=at-spi-bus-launcher, + signal (send) set=(term hup kill) peer=xdg-permission-store, network netlink raw, diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index d61406ce..7a053f81 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -17,16 +17,16 @@ profile at-spi-bus-launcher @{exec_path} { # Needed? deny capability sys_nice, - signal (receive) set=(term hup) peer=gdm*, - signal (receive) set=(term hup) peer=dbus-daemon, - signal (send) set=(term, kill) peer=dbus-daemon, + signal (receive) set=(term hup kill) peer=dbus-daemon, + signal (receive) set=(term hup kill) peer=gdm*, + signal (send) set=(term hup kill) peer=dbus-daemon, network inet stream, network inet6 stream, @{exec_path} mr, - /{usr/,}bin/dbus-daemon rPUx, + /{usr/,}bin/dbus-daemon rPx, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index bb7567eb..7bc02b27 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -12,6 +12,7 @@ profile gnome-calendar @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 705fc677..8374e0f2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -79,10 +79,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{user_share_dirs}/gvfs-metadata/root r, - owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 46fd0668..77569d2f 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -30,10 +30,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/pixmaps/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{user_share_dirs}/gvfs-metadata/root r, - owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d6417069..08639c01 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -44,11 +44,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/net/wireless r, @{PROC}/sys/kernel/random/boot_id r, @{run}/mount/utab r, @{run}/systemd/userdb/ r, + @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, + /dev/tty rw, /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 0c97fe46..ab978096 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -16,8 +16,7 @@ profile gvfsd-metadata @{exec_path} { @{exec_path} mr, - owner @{HOME}/.local/share/gvfs-metadata/ rw, - owner @{HOME}/.local/share/gvfs-metadata/** rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14270d44..7ef902fb 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -48,6 +48,7 @@ profile pacman @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/dot rix, /{usr/,}bin/env rix, + /{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/rm rix, /{usr/,}bin/setcap rix, /{usr/,}bin/vercmp rix, @@ -81,8 +82,8 @@ profile pacman @{exec_path} { /etc/{,**} rwl, /opt/{,**} rwl, /srv/{,**} rwl, - /usr/{,**} rwl, - /var/{,**} rwl, + /usr/{,**} rwlk, + /var/{,**} rwlk, /bin/ rwl, /home/ rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 31d383bd..959714c2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -10,6 +10,8 @@ include profile pacman-hook-fontconfig @{exec_path} { include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/bash rix, @@ -19,5 +21,9 @@ profile pacman-hook-fontconfig @{exec_path} { /etc/fonts/conf.d/* rwl, /usr/share/fontconfig/conf.default/* r, + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index e9ce2a2e..45265344 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -12,11 +12,10 @@ profile systemd-sysctl @{exec_path} { include include - # Are these needed? - deny capability sys_ptrace, - deny capability sys_admin, - deny capability net_admin, - deny capability sys_resource, + capability net_admin, + capability sys_admin, + capability sys_ptrace, + # capability sys_resource, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index f8035046..4a0586f5 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -37,6 +37,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/random/boot_id r, + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 77ea2a68..5e280427 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -20,11 +20,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, - owner @{sys}/kernel/security/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, + @{sys}/kernel/security/apparmor/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/osrelease r, deny /apparmor/.null rw, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index db280b7f..7dcd7de9 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -66,7 +66,7 @@ profile engrampa @{exec_path} { owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/** r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, /usr/share/engrampa/{,**} r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index d5901360..a215d61a 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -44,7 +44,7 @@ profile font-manager @{exec_path} { owner "@{user_share_dirs}/fonts/Google Fonts/**" rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/** r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 9041e4d5..85cf0b25 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -17,9 +17,9 @@ profile fuse-overlayfs @{exec_path} { @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/ -> **, + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, - owner @{user_share_dirs}/containers/storage/overlay/{,**} rw, + owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index fe43ce90..62244601 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -31,12 +31,12 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /etc/pki/fwupd/** r, - /etc/pki/fwupd-metadata/** r, - /etc/fwupd/** r, - /usr/share/fwupd/** r, + /etc/pki/fwupd/{,**} r, + /etc/pki/fwupd-metadata/{,**} r, + /etc/fwupd/{,**} r, + /usr/share/fwupd/{,**} r, - /var/cache/fwupd/** rw, + /var/cache/fwupd/{,**} rw, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 22ea50ce..19e51f9b 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -25,7 +25,7 @@ profile fwupdmgr @{exec_path} flags=(complain) { @{exec_path} mr, /{usr/,}bin/dbus-launch rCx -> dbus, - /{usr/,}bin/pkttyagent rux, # TODO: Work in progress + /{usr/,}bin/pkttyagent rPx, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 6dc67404..e1e0572c 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -9,25 +9,16 @@ include @{exec_path} = /{usr/,}bin/su profile su @{exec_path} { include - include include - include + include include + include # include - # To remove the following errors: - # su: cannot set groups: Operation not permitted - capability setgid, - - # To remove the following errors: - # su: cannot set user id: Operation not permitted - capability setuid, - - # To write records to the kernel auditing log. capability audit_write, - - # Needed? - audit deny capability net_bind_service, + capability setgid, + capability setuid, + #audit deny capability net_bind_service, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), @@ -43,16 +34,14 @@ profile su @{exec_path} { # Fake shells to politely refuse a login #/{usr/,}{s,}bin/nologin rpux, + /etc/default/locale r, /etc/environment r, + /etc/security/limits.d/ r, + /etc/shells r, @{PROC}/1/limits r, owner @{PROC}/@{pid}/loginuid r, - /etc/default/locale r, - /etc/security/limits.d/ r, - - /etc/shells r, - # For pam_securetty @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 185687a0..01e0112e 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -9,43 +9,26 @@ include @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include - include include - include + include include + include # include - # To remove the following errors: - # sudo: unable to change to root gid: Operation not permitted - capability setgid, - - # To remove the following errors: - # sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted - # sudo: no valid sudoers sources found, quitting - # sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted - capability setuid, - - # To write records to the kernel auditing log. + # capability mknod, capability audit_write, - - # For changing ownership of the /var/log/sudo.log file capability chown, - - # Needed? (#FIXME#) - capability sys_resource, - capability net_admin, - capability sys_ptrace, - capability dac_read_search, capability dac_override, - capability mknod, - ptrace read, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_resource, - # To remove the following error: - # sudo: PAM account management error: Permission denied - # sudo: unable to open audit system: Permission denied - # sudo: a password is required network netlink raw, + ptrace (read), signal, @{exec_path} mr, @@ -54,21 +37,9 @@ profile sudo @{exec_path} { /{usr/,}bin/{,b,d,rb}ash rpux, /{usr/,}bin/{c,k,tc,z}sh rpux, - /{usr/,}bin/[a-z0-9]* rPUx, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, - /{usr/,}lib/cockpit/cockpit-askpass rPx, - - /dev/ r, - /dev/ptmx rw, - - # For timestampdir - owner @{run}/sudo/ rw, - owner @{run}/sudo/ts/ rw, - owner @{run}/sudo/ts/* rwk, - @{run}/faillock/{,*} rwk, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/stat r, + /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}{s,}bin/[a-z0-9]* rPUx, + /{usr/,}lib/cockpit/cockpit-askpass rPUx, /etc/sudo.conf r, @@ -79,9 +50,21 @@ profile sudo @{exec_path} { /var/log/sudo.log wk, - # file_inherit + # For timestampdir + owner @{run}/sudo/ rw, + owner @{run}/sudo/ts/ rw, + owner @{run}/sudo/ts/* rwk, + @{run}/faillock/{,*} rwk, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/stat r, + + # File Inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + /dev/ r, + /dev/ptmx rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/update-mime-database b/apparmor.d/profiles-s-z/update-mime-database index aba54fab..2b00fa8e 100644 --- a/apparmor.d/profiles-s-z/update-mime-database +++ b/apparmor.d/profiles-s-z/update-mime-database @@ -10,6 +10,9 @@ include profile update-mime-database @{exec_path} { include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, /usr/share/mime/{,**} rw, diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy index ed6bc979..46318030 100644 --- a/apparmor.d/profiles-s-z/xdg-dbus-proxy +++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy @@ -12,10 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) { @{exec_path} mr, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{user_share_dirs}/gvfs-metadata/root r, - owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal index d9108b5d..8861047c 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal @@ -13,6 +13,8 @@ profile xdg-desktop-portal @{exec_path} { network netlink raw, + ptrace (read), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -26,8 +28,9 @@ profile xdg-desktop-portal @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/cmdline r, + owner @{PROC}/@{pids}/cgroup r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk index 1b771386..f1dd6279 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk @@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include + include + include @{exec_path} mr, @@ -18,6 +21,11 @@ profile xdg-desktop-portal-gtk @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + / r, + + owner @{HOME}/@{XDG_DATA_HOME}/ r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + include owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/profiles-s-z/xdg-mime b/apparmor.d/profiles-s-z/xdg-mime index 4176ef8a..1fb0f326 100644 --- a/apparmor.d/profiles-s-z/xdg-mime +++ b/apparmor.d/profiles-s-z/xdg-mime @@ -46,10 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{user_share_dirs}/gvfs-metadata/root r, - owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.Xauthority r,