From ae6cecde52c31116ebd3bed080527a1228f65449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 17:59:20 +0100 Subject: [PATCH] feat(profiles): deny gvfs-metadata when possible. --- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- apparmor.d/groups/freedesktop/xdg-mime | 3 ++- apparmor.d/groups/gnome/evolution-source-registry | 3 ++- apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 5 ++--- apparmor.d/groups/gnome/gnome-music | 3 ++- apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gnome-system-monitor | 4 ++-- apparmor.d/groups/gnome/gnome-tweaks | 3 ++- apparmor.d/groups/gnome/tracker-extract | 1 - apparmor.d/groups/network/mullvad-gui | 4 +++- apparmor.d/groups/ubuntu/update-manager | 3 ++- apparmor.d/profiles-a-f/atril | 5 ++--- apparmor.d/profiles-a-f/blueman | 4 ++-- apparmor.d/profiles-a-f/engrampa | 3 ++- apparmor.d/profiles-a-f/font-manager | 2 +- apparmor.d/profiles-g-l/hostname | 2 ++ apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/steam-fossilize | 3 ++- apparmor.d/profiles-s-z/steam-game | 4 ++-- apparmor.d/profiles-s-z/steam-gameoverlayui | 3 ++- apparmor.d/profiles-s-z/steam-reaper | 3 ++- apparmor.d/profiles-s-z/virt-manager | 2 +- 23 files changed, 42 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 4585ecf3..5f7aeec1 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, @@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { /dev/dri/card[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 139a0969..771679da 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/ r, @@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { deny /{usr/,}bin/dbus-launch rx, deny /{usr/,}bin/dbus-send rx, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile dbus { include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0280ccf3..463470b2 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} { owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c15aca6f..4619ca5c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -91,7 +91,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, @@ -148,5 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /dev/media[0-9]* r, /dev/video[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 3db55197..c2c118a9 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -60,12 +60,11 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/nautilus/scripts/ r, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 19c42c25..cfd50ca0 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -45,7 +45,6 @@ profile gnome-music @{exec_path} { owner @{user_cache_dirs}/media-art/album-*.jpeg rw, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -54,5 +53,7 @@ profile gnome-music @{exec_path} { owner @{PROC}/@{pid}/mounts r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f824b405..93e434a1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, @@ -203,5 +202,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a24ecee8..31aeb120 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/* r, @@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/wchan r, @{PROC}/vmstat r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index cfe4e9d6..e8bd2935 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} { owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, owner @{PROC}/@{pid}/fd/ r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 99799a9c..979be831 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} { owner /tmp/*/{,**} r, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, - owner @{user_share_dirs}/gvfs-metadata/** r, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 0ca97d32..426890f4 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} { /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, - owner @{user_share_dirs}/gvfs-metadata/* r, + owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, @@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} { /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 32f2e4f2..ce4818eb 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -87,7 +87,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @@ -99,5 +98,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index bc7b93e8..e76a019d 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -73,9 +73,6 @@ profile atril @{exec_path} { owner @{user_cache_dirs}/atril/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner /tmp/gtkprint_* rw, owner /tmp/settings*.ini rw, owner /tmp/settings*.ini.* rw, @@ -95,5 +92,7 @@ profile atril @{exec_path} { owner /tmp/atril-@{pid}/*/content.opf rw, owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 551c87d6..fc401342 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -56,8 +56,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/obexd/ rw, owner @{user_cache_dirs}/obexd/* rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, @@ -69,6 +67,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile open { include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index ce8dbeff..f37fc699 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -117,7 +117,6 @@ profile engrampa @{exec_path} { owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, /usr/share/engrampa/{,**} r, @@ -148,6 +147,8 @@ profile engrampa @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile open { include include diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 8bf1bb58..aab78cc2 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -47,7 +47,6 @@ profile font-manager @{exec_path} { owner "@{user_share_dirs}/fonts/Google Fonts/**" rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, @@ -63,6 +62,7 @@ profile font-manager @{exec_path} { # Silencer owner /var/cache/fontconfig/ w, deny /var/cache/fontconfig/ w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 4e0d4de6..15075dc3 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -20,5 +20,7 @@ profile hostname @{exec_path} { @{run}/resolvconf/resolv.conf r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 22857ba5..a529e7f3 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -121,7 +121,6 @@ profile steam @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/applications/*.desktop w, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/Steam/ rw, owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**, @@ -203,6 +202,7 @@ profile steam @{exec_path} { /dev/uinput w, audit deny /**.steam_exec_test.sh rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 8b323679..86202bd4 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -26,7 +26,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw, owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, @@ -40,5 +39,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{PROC}/pressure/io r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index b098df0c..3ea772b0 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -155,8 +155,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, @@ -223,5 +221,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { /dev/input/ r, /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index affe238d..659d63ee 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -32,7 +32,6 @@ profile steam-gameoverlayui @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.steam/registry.vdf rk, owner @{HOME}/.steam/steam.pipe r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/{,**} r, owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, owner @{user_share_dirs}/Steam/public/* rk, @@ -55,5 +54,7 @@ profile steam-gameoverlayui @{exec_path} { @{PROC}/version r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper index 30953a57..ee50df52 100644 --- a/apparmor.d/profiles-s-z/steam-reaper +++ b/apparmor.d/profiles-s-z/steam-reaper @@ -23,11 +23,12 @@ profile steam-reaper @{exec_path} { owner @{HOME}/.steam/steam.pipe r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 10475656..467fce94 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -69,7 +69,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/virt-manager/ rw, owner @{user_cache_dirs}/virt-manager/** rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, # For disk images @{MOUNTS}/ r, @@ -103,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # Silence the noise deny /usr/share/virt-manager/{,**} w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists }