From ac39df1af24b1b1ae09dad680822de175cc33dde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 16 Feb 2022 19:18:14 +0000 Subject: [PATCH] Update profiles. --- apparmor.d/groups/browsers/chrome-gnome-shell | 2 ++ apparmor.d/groups/bus/dbus-daemon | 6 ++--- apparmor.d/groups/desktop/blueman-mechanism | 2 +- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gpg/gpg-agent | 6 +++++ apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/pacdiff | 9 ++++---- apparmor.d/groups/pacman/pacman-key | 3 +++ apparmor.d/groups/systemd/bootctl | 23 +++++++++++-------- apparmor.d/groups/systemd/journalctl | 2 ++ apparmor.d/groups/systemd/systemd-detect-virt | 11 ++++++--- apparmor.d/groups/systemd/systemd-journald | 2 ++ apparmor.d/groups/systemd/systemd-logind | 5 ++++ apparmor.d/groups/systemd/systemd-remount-fs | 6 +++++ apparmor.d/groups/systemd/systemd-sysusers | 4 +--- apparmor.d/groups/systemd/systemd-tmpfiles | 1 + apparmor.d/groups/systemd/systemd-update-done | 3 +++ apparmor.d/groups/systemd/systemd-update-utmp | 3 +++ .../groups/systemd/systemd-user-sessions | 3 +++ apparmor.d/profiles-a-f/btrfs | 2 ++ apparmor.d/profiles-g-l/kmod | 4 ++++ apparmor.d/profiles-m-r/mke2fs | 2 ++ apparmor.d/profiles-m-r/qbittorrent | 3 ++- apparmor.d/profiles-s-z/xdg-permission-store | 2 ++ 24 files changed, 81 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 1356304b..2e45ec85 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -31,5 +31,7 @@ profile chrome-gnome-shell @{exec_path} { owner @{PROC}/@{pid}/mounts r, + deny @{HOME}/.* r, + include if exists } diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 00befd61..1f704568 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -49,12 +49,12 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/icc/{,edid-*} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/desktop/blueman-mechanism b/apparmor.d/groups/desktop/blueman-mechanism index da9a0543..3827cf5d 100644 --- a/apparmor.d/groups/desktop/blueman-mechanism +++ b/apparmor.d/groups/desktop/blueman-mechanism @@ -8,7 +8,7 @@ include @{exec_path} = @{libexec}/blueman-mechanism @{exec_path} += /{usr/,}lib/blueman/blueman-mechanism -profile blueman-mechanism @{exec_path} { +profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8464c30b..8afb1c08 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -37,6 +37,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/backgrounds/gnome/* r, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/gnome-background-properties/{,**} r, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 5f8c5568..ac5cedc8 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -26,33 +26,39 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /var/lib/*/.gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/sshcontrol r, owner /tmp/tmp.*/gnupg/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /tmp/tmp.*/gnupg/S.gpg-agent rw, + owner /tmp/tmp.*/gnupg/sshcontrol r, # For debuild owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index b9808c3d..205b633d 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -56,7 +56,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/modprobe rPx, /{usr/,}lib/initcpio/busybox rix, - /{usr/,}lib{,32,64}/ld-*.so rix, + /{usr/,}lib{,32,64}/ld-*.so* rix, /etc/fstab r, /etc/lvm/lvm.conf r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index f380db01..704b3feb 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -18,13 +18,14 @@ profile pacdiff @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pacman-conf rPx, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/locate rix, + /{usr/,}bin/cmp rix, /{usr/,}bin/find rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/locate rix, + /{usr/,}bin/pacman-conf rPx, + /{usr/,}bin/tput rix, # packages files / r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index c42cd844..374d9936 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -17,12 +17,15 @@ profile pacman-key @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/gawk rix, /{usr/,}bin/gettext rix, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/grep rix, /{usr/,}bin/pacman-conf rPx, + /{usr/,}bin/touch rix, /{usr/,}bin/tput rix, + /{usr/,}bin/vercmp rix, /{usr/,}bin/wc rix, /usr/share/makepkg/{,**} r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 660ed2d2..19947004 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -22,17 +22,20 @@ profile bootctl @{exec_path} { /{usr/,}bin/less rPx -> child-pager, - /boot/ r, - /boot/EFI/{,**} r, - /boot/loader/{,**} r, - /boot/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, - /boot/EFI/BOOT/BOOTX64.EFI w, - /boot/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, - /boot/EFI/systemd/systemd-boot*.efi w, - /boot/loader/.#bootctlrandom-seed[0-9a-f]* rw, - /boot/loader/random-seed w, + /{boot,efi}/ r, + /{boot,efi}/EFI/{,**} r, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, + /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, + /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, + /{boot,efi}/EFI/systemd/systemd-boot*.efi w, + /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/random-seed w, - /etc/machine-id r, + /etc/machine-id r, + /etc/machine-info r, + + @{run}/host/container-manager r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 29d18806..43d1890e 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -33,6 +33,8 @@ profile journalctl @{exec_path} { /{run,var}/log/journal/[0-9a-f]*/system.journal* r, /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + @{run}/host/container-manager r, + # For --setup-keys and --verify owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 870dfe35..f922b2cc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -13,12 +13,17 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + @{exec_path} mr, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, + @{run}/host/container-manager r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, # Inherit silencer deny /apparmor/.null rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index dc051277..2ee2fec6 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -39,6 +39,8 @@ profile systemd-journald @{exec_path} { owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, + @{run}/host/container-manager r, + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c243:0 r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 014bff0f..83883120 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -32,6 +32,8 @@ profile systemd-logind @{exec_path} flags=(complain) { /var/lib/systemd/linger/ r, + @{run}/host/container-manager r, + @{run}/utmp rk, @{run}/udev/tags/master-of-seat/ r, @@ -74,6 +76,7 @@ profile systemd-logind @{exec_path} flags=(complain) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/fs/cgroup/memory.max r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, @@ -89,8 +92,10 @@ profile systemd-logind @{exec_path} flags=(complain) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, + @{PROC}/1/cmdline r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 7438d547..8f13fe93 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -13,5 +13,11 @@ profile systemd-remount-fs @{exec_path} { @{exec_path} mr, + /etc/fstab r, + + @{run}/host/container-manager r, + + @{PROC}/1/cmdline r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 4a0586f5..9e53b097 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/systemd-sysusers profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, @@ -34,9 +35,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}[0-9a-zA-Z]* rw, /etc/.pwd.lock rwk, - owner @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/random/boot_id r, - # Inherit Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 4def3405..3eee8648 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/microcode/reload w, @{PROC}/@{pid}/net/unix r, + @{PROC}/1/cmdline r, deny /apparmor/.null rw, diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index 9b49f3bf..2cd2407f 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -21,6 +21,9 @@ profile systemd-update-done @{exec_path} { /var/.#.updated[0-9a-zA-Z]* rw, /var/.updated w, + @{run}/host/container-manager r, + + @{PROC}/1/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 4a9c63be..e2c7fd60 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -22,6 +22,9 @@ profile systemd-update-utmp @{exec_path} { owner /var/log/wtmp rwk, owner @{run}/utmp rwk, + @{run}/host/container-manager r, + + @{PROC}/1/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index a69d0a38..89ea4af7 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -20,6 +20,9 @@ profile systemd-user-sessions @{exec_path} { owner @{run}/.#nologin rw, owner @{run}/nologin rw, + @{run}/host/container-manager r, + + @{PROC}/1/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index bcaa273b..81a70995 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -46,5 +46,7 @@ profile btrfs @{exec_path} { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + /dev/btrfs-control rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 50d515df..177e41c4 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -27,6 +27,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { # Needed for static-nodes capability dac_override, + capability mknod, + unix (receive) type=stream, @{exec_path} mrix, @@ -43,6 +45,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /var/lib/dkms/**/module/*.ko r, /usr/src/*/*.ko r, + /var/tmp/dracut.*/{,**} rw, + @{sys}/module/{,**} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index 411f97ce..e691740e 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -18,6 +18,8 @@ profile mke2fs @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/badblocks rPx, + /usr/share/file/misc/magic.mgc r, + /etc/mke2fs.conf r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index aa1912df..184548ea 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2022 nobodysu # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-s-z/xdg-permission-store b/apparmor.d/profiles-s-z/xdg-permission-store index 76335028..5aa1fa09 100644 --- a/apparmor.d/profiles-s-z/xdg-permission-store +++ b/apparmor.d/profiles-s-z/xdg-permission-store @@ -16,6 +16,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, + + @{user_share_dirs}/flatpak/db/.goutputstream-* r, @{user_share_dirs}/flatpak/db/background r, /dev/tty[0-9]* rw,