feat(profile): general update.

apparmor.d/groups/browsers/chromium-wrapper

@@ -40,11 +40,8 @@ profile chromium-wrapper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   owner @{tmp}/chromiumargs.@{rand6} rw,
-  owner @{tmp}/tmp.*/ rw,
-  owner @{tmp}/tmp.*/** rwk,
 
   owner /dev/tty@{int} rw,
-        /dev/dri/card[0-9] rw,
 
   # Silencer
   deny @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/groups/freedesktop/xdg-mime

@@ -53,11 +53,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
 
+  @{PROC}/version r,
+
   /dev/dri/card@{int} rw,
   /dev/tty rw,
 
-  @{PROC}/version r,
-
   # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
   #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
@@ -82,6 +82,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
           @{HOME}/.Xauthority r,
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
 
+    include if exists <local/xdg-mime_dbus>
   }
 
   include if exists <local/xdg-mime>

apparmor.d/groups/network/socat

@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Nishit Majithia (nishitm)
 # SPDX-License-Identifier: GPL-2.0-only
-# vim: ft=apparmor
 
 abi <abi/3.0>,
 
@@ -10,19 +10,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/socat
 profile socat @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/consoles>
 
-  capability dac_read_search,
-  capability dac_override,
-  capability net_raw,
-  capability net_admin,
-  capability sys_module,
-  capability sys_admin,
-  capability fsetid,
   capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fsetid,
+  capability net_admin,
   capability net_bind_service,
+  capability net_raw,
+  capability sys_admin,
+  capability sys_module,
   capability sys_resource,
 
   # Allow creation of network sockets and `socat` uses dccp for some
@@ -31,19 +31,13 @@ profile socat @{exec_path} {
 
   @{exec_path} mr,
 
-  # Enale /dev/ptmx access for testsuite
-  # /dev/ptmx rw,
-
-  # TUN/TAP device
-  /dev/net/tun rw,
-
-  # Process-specific access
   @{PROC}/@{pid}/fdinfo/@{int} rw,
-  @{PROC}/@{pid}/stat           r,
+  @{PROC}/@{pid}/stat r,
 
-  # For bi-directional communication between vms and host/hypervisor
-  /dev/vsock r,
+  /dev/net/tun rw,
+  /dev/vsock r,  # For bi-directional communication between vms and host/hypervisor
 
-  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/socat>
 }
+
+# vim:syntax=apparmor

apparmor.d/groups/ssh/ssh-agent

@@ -12,8 +12,8 @@ profile ssh-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  signal (receive) set=term peer=cockpit-bridge,
-  signal (receive) set=term peer=gnome-keyring-daemon,
+  signal receive set=term peer=cockpit-bridge,
+  signal receive set=term peer=gnome-keyring-daemon,
 
   @{exec_path} mr,
 
@@ -34,6 +34,7 @@ profile ssh-agent @{exec_path} {
   owner @{run}/user/@{uid}/gcr/.ssh w,
 
   /dev/tty@{int} rw,
+  /dev/tty rw,
 
   include if exists <local/ssh-agent>
 }

apparmor.d/groups/systemd/systemd-hostnamed

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-hostnamed
-profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
+profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.PolicyKit1>

apparmor.d/groups/virt/cockpit-bridge

@@ -22,33 +22,44 @@ profile cockpit-bridge @{exec_path} {
   network inet stream,
   network inet6 dgram,
   network inet6 stream,
+  network netlink raw,
 
-  ptrace (read),
+  ptrace read,
 
-  signal (send) set=term peer=cockpit-pcp,
-  signal (send) set=term peer=dbus-daemon,
-  signal (send) set=term peer=journalctl,
-  signal (send) set=term peer=ssh-agent,
-  signal (send) set=term peer=sudo,
-  signal (send) set=term peer=unconfined,
+  signal send set=term peer=cockpit-pcp,
+  signal send set=term peer=dbus-daemon,
+  signal send set=term peer=journalctl,
+  signal send set=term peer=ssh-agent,
+  signal send set=term peer=sudo,
+  signal send set=term peer=unconfined,
 
   @{exec_path} mr,
 
   @{bin}/cat                  ix,
   @{bin}/date                 ix,
+  @{bin}/find                 ix,
+  @{bin}/ip                   ix,
+  @{bin}/python3.@{int}       ix,
+  @{bin}/test                 ix,
+
   @{bin}/findmnt              Px,
   @{bin}/journalctl           Px,
-  @{bin}/python3.@{int}       ix,
+  @{bin}/lastlog              Px,
+  @{bin}/passwd               Px,
   @{bin}/ssh-agent            Px,
   @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{bin}/udevadm              Cx -> udevadm,
+  @{bin}/virt-install        PUx, # TODO: rPx
   @{lib}/cockpit/cockpit-pcp  Px,
   @{lib}/cockpit/cockpit-ssh  Px,
+  @{bin}/virsh               rPUx,
 
   # The shell is not confined on purpose.
   @{bin}/@{shells}            Ux,
 
-  /usr/share/cockpit/{,**} r,
   /usr/{,local/}share/ r,
+  /usr/share/cockpit/{,**} r,
+  /usr/share/iproute2/* r,
 
   /etc/cockpit/{,**} r,
   /etc/httpd/conf/mime.types r,
@@ -59,6 +70,8 @@ profile cockpit-bridge @{exec_path} {
   /etc/shadow r,
   /etc/shells r,
 
+  / r,
+
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
   owner @{user_share_dirs}/ r,
 
@@ -66,6 +79,7 @@ profile cockpit-bridge @{exec_path} {
   @{run}/utmp r,
 
   @{sys}/class/hwmon/ r,
+  @{sys}/class/net/ r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
   @{sys}/fs/cgroup/ r,
@@ -89,6 +103,13 @@ profile cockpit-bridge @{exec_path} {
 
   /dev/ptmx rw,
 
+  profile udevadm {
+    include <abstractions/base>
+    include <abstractions/app/udevadm>
+
+    include if exists <local/cockpit-bridge_udevadm>
+  }
+
   include if exists <local/cockpit-bridge>
 }
 

apparmor.d/groups/virt/cockpit-session

@@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   /etc/motd.d/ r,
   /etc/shells r,
 
+  @{run}/cockpit/active.motd r,
+  @{run}/cockpit/inactive.motd r,
   @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/utmp rwk,
-  @{run}/motd.d/{,*} r,
-  @{run}/cockpit/active.motd r,
 
   /var/log/btmp rw,
   /var/log/lastlog rw,

apparmor.d/groups/virt/libvirtd

@@ -68,6 +68,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read,trace) peer=@{profile_name},
   ptrace (read,trace) peer=dnsmasq,
+  ptrace (read,trace) peer=gnome-boxes,
   ptrace (read,trace) peer=libvirt-@{uuid},
   ptrace (read,trace) peer=libvirt-dbus,
   ptrace (read,trace) peer=unconfined,
@@ -93,15 +94,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{lib}/libvirt/libvirt_iohelper                   rix,
   @{lib}/libvirt/libvirt_parthelper                 rix,
 
+  @{lib}/{,qemu/}qemu-bridge-helper                 rPx,
+  @{lib}/{,qemu/}vhost-user-gpu                    rPUx,
+  @{lib}/{,qemu/}virtiofsd                         rux, # TODO: WIP
   @{lib}/udev/scsi_id                              rPUx,
   @{lib}/xen-*/bin/libxl-save-helper               rPUx,
   @{lib}/xen-*/bin/pygrub                          rPUx,
   @{lib}/xen-common/bin/xen-toolstack              rPUx,
   @{lib}/xen/bin/*                                 rPUx,
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu  rPUx,
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd        rux, # TODO: WIP
-
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
 
   @{bin}/dmidecode                            rPx,
   @{bin}/dnsmasq                              rPx,

apparmor.d/groups/virt/qemu-bridge-helper

@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper
+profile qemu-bridge-helper @{exec_path} {
+  include <abstractions/base>
+
+  capability net_admin,
+  capability setpcap,
+
+  network inet stream,
+
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+
+  signal receive set=term peer=libvirtd,
+
+  @{exec_path} mr,
+
+  /etc/qemu/bridge.conf r,
+
+  @{sys}/devices/system/node/ r,
+
+  owner @{PROC}/@{pids}/status r,
+
+  /dev/net/tun rw,
+
+  include if exists <local/qemu-bridge-helper>
+}
+
+# vim:syntax=apparmor

apparmor.d/profiles-g-l/git

@@ -92,9 +92,6 @@ profile git @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/*/ rw,
   owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,
 
-  owner @{tmp}/**        rwkl -> /tmp/**,
-  owner @{tmp}/**/bin/*  rCx -> exec,
-
   owner @{HOME}/.gitconfig* rw,
   owner @{HOME}/.netrc r,
   owner @{user_config_dirs}/git/{,*} rw,

apparmor.d/profiles-s-z/smartd

@@ -39,8 +39,6 @@ profile smartd @{exec_path} {
   /var/lib/smartmontools/smartd.*.state{,~} rw,
   /var/lib/smartmontools/attrlog.*.csv rw,
 
-  /tmp/tmp.* rw,
-
   @{run}/systemd/notify rw,
 
   @{sys}/class/scsi_host/ r,

apparmor.d/profiles-s-z/virt-manager

@@ -61,15 +61,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   /etc/fstab r,
   /etc/libnl/classid r,
 
-  owner @{HOME}/ r,
-  owner @{user_cache_dirs}/virt-manager/{,**} rw,
+  # System VM images
+  /var/lib/libvirt/images/{,**} rw,
 
   # For disk images
   @{MOUNTS}/ r,
   @{user_img_dirs}/{,**} r,
 
-  # System VM images
-  /var/lib/libvirt/images/{,**} rw,
+  owner @{HOME}/ r,
+  owner @{user_cache_dirs}/virt-manager/{,**} rw,
 
   # User VM images
   owner @{user_share_dirs}/ r,

dists/flags/main.flags

@@ -279,6 +279,7 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
+qemu-bridge-helper complain
 realmd complain
 remmina complain
 run-parts complain
@@ -369,7 +370,6 @@ systemd-userwork attach_disconnected,complain
 systemsettings complain
 totem attach_disconnected,complain
 tracker-writeback complain
-transmission complain
 udev-dmi-memory-id complain
 udisksctl complain
 udisksd attach_disconnected,complain