From ae71b323c216a5a7ea09e6f9abf8c05ac3b4d5e7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Jun 2024 11:25:17 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/command-not-found | 2 ++ apparmor.d/groups/children/child-dpkg | 2 +- apparmor.d/groups/children/child-open | 2 +- .../groups/children/child-open-browsers | 2 +- apparmor.d/groups/children/child-pager | 2 ++ apparmor.d/groups/freedesktop/pipewire | 4 +--- apparmor.d/groups/freedesktop/xwayland | 2 ++ apparmor.d/groups/gnome/gjs-console | 6 ++++-- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../groups/gnome/gnome-remote-desktop-daemon | 2 +- apparmor.d/groups/gnome/session-migration | 1 + .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + .../groups/systemd/systemd-user-runtime-dir | 2 ++ apparmor.d/groups/ubuntu/do-release-upgrade | 9 +++++++-- apparmor.d/groups/xfce/xfce-panel | 2 +- apparmor.d/groups/xfce/xfce-session | 2 +- apparmor.d/profiles-a-f/flatpak-app | 3 ++- apparmor.d/profiles-g-l/git | 10 +++++----- apparmor.d/profiles-g-l/ifup | 1 + apparmor.d/profiles-g-l/lsusb | 2 ++ apparmor.d/profiles-m-r/nvidia-settings | 7 +++++++ apparmor.d/profiles-m-r/pass | 19 +++++++++++++++++-- apparmor.d/profiles-m-r/pcscd | 6 +++--- apparmor.d/profiles-m-r/qemu-ga | 7 +++---- apparmor.d/profiles-s-z/smplayer | 3 +-- apparmor.d/profiles-s-z/top | 6 ++---- apparmor.d/profiles-s-z/wl-copy | 3 ++- apparmor.d/profiles-s-z/yadifad | 9 +++++---- 29 files changed, 80 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6650cced..00818d01 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -25,6 +25,8 @@ profile command-not-found @{exec_path} { @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/ r, + /usr/share/command-not-found/{,**} r, /var/lib/command-not-found/commands.db rwk, diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 4f65ab28..a90f2a85 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -43,7 +43,7 @@ profile child-dpkg { /var/lib/dpkg/tmp.ci/md5sums rw, /var/lib/dpkg/triggers/Lock rw, /var/lib/dpkg/updates/* rw, - /var/log/dpkg.log ra, + /var/log/dpkg.log rw, # file_inherit /tmp/#@{int} rw, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 3a10d927..9b34f319 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open { +profile child-open flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 639c32a9..e3da8f38 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers { +profile child-open-browsers flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index cfcc832b..ebaf6724 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -28,6 +28,8 @@ profile child-pager { @{system_share_dirs}/terminfo/{,**} r, + @{HOME}/.lesshst r, + owner @{HOME}/ r, owner @{HOME}/.lesshs* rw, owner @{HOME}/.terminfo/@{int}/* r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f8385a89..bdadeabe 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -56,7 +56,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -65,12 +64,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, - @{sys}/module/apparmor/parameters/enabled r, # deny ? + @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, - /dev/video@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 93a65257..a4f98c09 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -18,6 +18,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, + unix type=stream addr=none peer=(label=gnome-shell, addr=none), + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0fc2add0..e51ed5b8 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -64,14 +64,16 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, + /tmp/ r, + /var/tmp/ r, + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, - /tmp/ r, - /var/tmp/ r, + owner @{HOME}/ r, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 08ae20d4..c1802c0a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -153,7 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/firmware/acpi/pm_profile r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index dab1f58a..46d21977 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -19,7 +19,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { network inet stream, network inet6 stream, - #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User + #aa:dbus own bus=session name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 570515cd..1f82e7fe 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -13,6 +13,7 @@ profile session-migration @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/gsettings rPx, /usr/share/session-migration/scripts/*.sh rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 71c9d046..26e5e598 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -19,6 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { ptrace (read), + mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, umount /etc/machine-id, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 220cbb54..e5be870f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -93,6 +93,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/ rw, @{run}/udev/** rwk, + @{run}/credentials/systemd-udev-load-credentials.service/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 38d2d393..cd70cc8b 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -20,6 +20,8 @@ profile systemd-user-runtime-dir @{exec_path} { capability net_admin, capability sys_admin, + network unix stream, + mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index a2f93f42..4ee62b2e 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -37,10 +37,15 @@ profile do-release-upgrade @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, /var/lib/update-manager/* rw, - /var/cache/apt/pkgcache.bin{,.*} rw, - owner @{PROC}/@{pid}/fd/ r, + /var/cache/apt/ rw, + /var/cache/apt/pkgcache.bin rw, + /var/cache/apt/pkgcache.bin.@{rand6} rw, + /var/cache/apt/srcpkgcache.bin rw, + /var/cache/apt/srcpkgcache.bin.@{rand6} rw, + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 0b3530b4..44c9be03 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -23,7 +23,7 @@ profile xfce-panel @{exec_path} { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, @{lib}/gio-launch-desktop rix, - @{bin}/sudo rCx -> root, + @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, /usr/share/livecheck/** r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index f2b14b31..b19c11b3 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -58,7 +58,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 41d72d14..83be5477 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -39,11 +39,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink dgram, network netlink raw, + network unix stream, ptrace (read), ptrace trace peer=flatpak-app, - signal (receive) set=(int) peer=flatpak-portal, + signal (receive) set=(int term) peer=flatpak-portal, signal (receive) set=(int) peer=flatpak-session-helper, @{bin}/** rmix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index d147d77b..e0347900 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -12,7 +12,7 @@ include @{exec_path} = @{bin}/git @{bin}/git-* @{exec_path} += @{lib_dirs}/git @{lib_dirs}/git-* @{lib_dirs}/mergetools/* -profile git @{exec_path} { +profile git @{exec_path} flags=(attach_disconnected) { include include include @@ -110,7 +110,7 @@ profile git @{exec_path} { deny /dev/shm/.org.chromium.Chromium* rw, deny owner @{code_config_dirs}/** rw, - profile gpg { + profile gpg flags=(attach_disconnected) { include include @@ -127,7 +127,7 @@ profile git @{exec_path} { include if exists } - profile ssh { + profile ssh flags=(attach_disconnected) { include include @@ -156,7 +156,7 @@ profile git @{exec_path} { include if exists } - profile exec { + profile exec flags=(attach_disconnected) { include owner @{user_build_dirs}/**/bin/* mr, @@ -164,7 +164,7 @@ profile git @{exec_path} { include if exists } - profile editor { + profile editor flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 605c26f9..e621bd7f 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -119,6 +119,7 @@ profile ifup @{exec_path} { @{PROC}/sys/net/ipv6/conf/*/accept_ra rw, @{PROC}/sys/net/ipv6/conf/*/autoconf rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index eadda478..22e8a7cd 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -13,6 +13,8 @@ profile lsusb @{exec_path} { include include + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index d4bda612..87271a03 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -17,6 +17,13 @@ profile nvidia-settings @{exec_path} { /usr/share/pixmaps/{,**} r, + owner @{HOME}/.nvidia-settings-rc rw, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/config r, + + @{PROC}/devices r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 724bd8f3..7c4f697e 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -29,7 +29,6 @@ profile pass @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, - @{bin}/pkill rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @@ -44,10 +43,11 @@ profile pass @{exec_path} { @{bin}/which rix, @{bin}/git rCx -> git, - @{lib}/git{,-core}/git rCx -> git, @{bin}/gpg{2,} rCx -> gpg, + @{bin}/pkill rCx -> pkill, @{bin}/qdbus rCx -> qdbus, @{bin}/vim{,.*} rCx -> editor, + @{lib}/git{,-core}/git rCx -> git, @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, @@ -72,6 +72,21 @@ profile pass @{exec_path} { /dev/tty rw, + profile pkill { + include + + capability sys_ptrace, + + ptrace read, + + @{bin}/pkill mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/tty/drivers r, + + include if exists + } + profile editor { include include diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 085061b1..9a25cd7d 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,6 +16,8 @@ profile pcscd @{exec_path} { network netlink raw, + ptrace (read) peer=veracrypt, + ptrace (read) peer=@{p_systemd_user}, ptrace (read) peer=gsd-smartcard, ptrace (read) peer=pkcs11-register, ptrace (read) peer=rngd, @@ -24,9 +26,7 @@ profile pcscd @{exec_path} { @{exec_path} mr, /etc/libccid_Info.plist r, - /etc/reader.conf.d/ r, - /etc/reader.conf.d/libccidtwin r, - /etc/reader.conf.d/reader.conf r, + /etc/reader.conf.d/{,**} r, owner @{run}/pcscd/{,pcscd.pid} rw, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 95870637..ac94727c 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -21,10 +21,9 @@ profile qemu-ga @{exec_path} { ptrace (read) peer=@{p_systemd}, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={ScheduleShutdown,SetWallMessage} - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix type=stream addr=@@{hex16}/bus/shutdown/system, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index d8de18f2..54b4080f 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -44,7 +44,7 @@ profile smplayer @{exec_path} { @{bin}/pacmd rPx, @{bin}/smtube rPx, @{bin}/youtube-dl rPx, - @{bin}/yt-dlp rPx, + @{bin}/{y,}t-dlp rPx, /usr/share/hwdata/pnp.ids r, @@ -87,5 +87,4 @@ profile smplayer @{exec_path} { include if exists } - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 9e4b7c11..09728ef4 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -11,8 +11,8 @@ include profile top @{exec_path} flags=(attach_disconnected) { include include - include include + include capability dac_read_search, capability kill, @@ -36,16 +36,14 @@ profile top @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/ r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 3ea91639..a71e4cbd 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/wl-{copy,paste} -profile wl-copy @{exec_path} { +profile wl-copy @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index c22e3cdd..bb896bd8 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -21,14 +21,15 @@ profile yadifad @{exec_path} { @{exec_path} mr, - /etc/yadifa/yadifad.conf r, + /etc/yadifa/* r, /var/log/yadifa/{,**} rw, - owner /var/lib/yadifa/{,**} rw, + owner /var/lib/yadifa/ rw, + owner /var/lib/yadifa/** rwk, - owner @{run}/yadifa/{,*} rw, - owner @{run}/yadifa/yadifad.pid rwk, + owner @{run}/yadifa/ rw, + owner @{run}/yadifa/** rwk, include if exists }