From adb936e62fa09a6f27469cdf909f503692edaf8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Mar 2024 18:31:15 +0000 Subject: [PATCH] feat(abs): add new shells abstraction. --- apparmor.d/abstractions/shells | 11 +++++++++++ apparmor.d/groups/gnome/gdm-xsession | 4 ++-- apparmor.d/groups/gnome/gnome-session | 3 +-- apparmor.d/groups/kde/sddm | 4 ++-- apparmor.d/groups/kde/sddm-xsession | 3 +-- apparmor.d/groups/kde/wayland-session | 6 +++--- apparmor.d/groups/kde/xdm-xsession | 4 ++-- apparmor.d/groups/virt/cockpit-session | 3 +-- apparmor.d/profiles-m-r/pam_roles | 8 ++++---- apparmor.d/tunables/multiarch.d/paths | 2 +- 10 files changed, 28 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/abstractions/shells diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells new file mode 100644 index 00000000..23c447dc --- /dev/null +++ b/apparmor.d/abstractions/shells @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction is only required when an interactive shell is started. +# Classic shell scripts do not need it. + + include + include + + include if exists diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index b12a5e04..174fda70 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -9,14 +9,14 @@ include @{exec_path} = @{etc_ro}/gdm{3,}/Xsession profile gdm-xsession @{exec_path} { include - include include include include + include @{exec_path} mr, - @{sh_path} rix, + @{shells_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index b5cb17de..254eb861 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,10 +9,9 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include - include include include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 79aafd3c..4d4d90a7 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -11,7 +11,6 @@ include profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include @@ -20,6 +19,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability audit_write, @@ -70,7 +70,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/sddm/sddm-helper-start-wayland rix, @{lib}/sddm/sddm-helper-start-x11user rix, - @{sh_path} rix, + @{shells_path} rix, @{bin}/cat rix, @{bin}/checkproc rix, @{bin}/disable-paste rix, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b314f144..81c49575 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -12,8 +12,7 @@ profile sddm-xsession @{exec_path} { include include include - include - include + include @{exec_path} r, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 64cca056..b1596876 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,12 +9,12 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include - include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/id rix, + @{shells_path} rix, + @{bin}/id rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 2a8184e5..53cab22f 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -9,14 +9,14 @@ include @{exec_path} = @{etc_ro}/X11/xdm/Xsession profile xdm-xsession @{exec_path} { include - include include include + include include @{exec_path} mr, - @{sh_path} rix, + @{shells_path} rix, @{bin}/checkproc rix, @{bin}/basename rix, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 47ddad30..db0aee66 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,9 +10,8 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include - include include - include + include capability audit_write, capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/pam_roles b/apparmor.d/profiles-m-r/pam_roles index f2b37b14..5846b09e 100644 --- a/apparmor.d/profiles-m-r/pam_roles +++ b/apparmor.d/profiles-m-r/pam_roles @@ -18,9 +18,9 @@ include # of files. profile default_user flags=(complain) { include - include include - include + include + include deny capability sys_ptrace, @@ -38,9 +38,9 @@ profile default_user flags=(complain) { # anywhere, and execute from some places. profile confined_user flags=(complain) { include - include include - include + include + include deny capability sys_ptrace, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 3dfb9af6..99f7d852 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -5,7 +5,7 @@ # Define some paths for some commonly used programs # Default distribution shells -@{sh} = sh zsh bash dash +@{sh} = sh bash dash @{sh_path} = @{bin}/@{sh} # All interactive shells users may want to use