From b2d3af8bca969726540f231dcf4e8597426cc94a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Aug 2021 15:32:42 +0100 Subject: [PATCH] Update profiles. --- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gpg/gpg | 4 ++++ apparmor.d/groups/gpg/gpg-agent | 12 ++++++++++++ apparmor.d/groups/systemd/bootctl | 2 +- apparmor.d/groups/systemd/systemd-detect-virt | 4 ---- .../groups/systemd/systemd-environment-d-generator | 5 +++++ apparmor.d/groups/systemd/systemd-hwdb | 4 ---- apparmor.d/groups/systemd/systemd-sysctl | 4 ---- apparmor.d/groups/systemd/systemd-sysusers | 4 ---- apparmor.d/groups/systemd/systemd-tmpfiles | 5 +---- apparmor.d/groups/systemd/systemd-udevd | 4 ---- .../groups/systemd/systemd-xdg-autostart-generator | 2 ++ apparmor.d/profiles-a-l/aa-status | 3 ++- apparmor.d/profiles-a-l/auditd | 2 +- apparmor.d/profiles-a-l/borg | 8 ++++++++ apparmor.d/profiles-a-l/dhclient-script | 7 +++++++ apparmor.d/profiles-a-l/eject | 3 +++ apparmor.d/profiles-a-l/gio-querymodules | 4 ---- apparmor.d/profiles-a-l/gtk-query-immodules | 2 +- apparmor.d/profiles-a-l/ifup | 2 ++ apparmor.d/profiles-a-l/install-info | 2 +- apparmor.d/profiles-m-z/run-parts | 2 ++ apparmor.d/profiles-m-z/update-ca-trust | 2 +- apparmor.d/profiles-m-z/update-desktop-database | 2 +- apparmor.d/profiles-m-z/update-mime-database | 2 +- apparmor.d/profiles-m-z/vlc-cache-gen | 2 +- 26 files changed, 57 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 45678268..09617279 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -80,6 +80,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c235:[0-9]* r, + @{run}/udev/data/c236:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index ab47344b..5fda539e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,6 +28,9 @@ profile gpg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 52a95222..5f8c5568 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -27,6 +27,18 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + + owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index b38adb7c..411f2e5d 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -51,7 +51,7 @@ profile bootctl @{exec_path} { owner @{PROC}/@{pid}/cgroup r, @{PROC}/sys/kernel/random/poolsize r, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 5eda20ec..c04234db 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -20,9 +20,5 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator index d0d51f23..7bea7114 100644 --- a/apparmor.d/groups/systemd/systemd-environment-d-generator +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -14,9 +14,14 @@ profile systemd-environment-d-generator @{exec_path} { @{exec_path} mr, + /{usr/,}bin/gpgconf rPx, + /{usr/,}bin/mawk rix, + /etc/environment r, owner @{user_config_dirs}/environment.d/{,*.conf} r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 59fcc110..06901e6d 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -19,9 +19,5 @@ profile systemd-hwdb @{exec_path} { owner @{PROC}/@{pid}/stat r, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 2421ce38..e9ce2a2e 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -27,9 +27,5 @@ profile systemd-sysctl @{exec_path} { /etc/sysctl.conf r, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 43562915..e25108d4 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -37,9 +37,5 @@ profile systemd-sysusers @{exec_path} { owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/random/boot_id r, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 550673c2..7ea1d562 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -13,6 +13,7 @@ profile systemd-tmpfiles @{exec_path} { include capability chown, + capability dac_override, capability dac_read_search, capability fowner, capability fsetid, @@ -49,9 +50,5 @@ profile systemd-tmpfiles @{exec_path} { @{PROC}/@{pid}/net/unix r, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 33619cae..92354530 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -97,9 +97,5 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { # file_inherit owner @{HOME}/.xsession-errors w, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator index d6ebfa2d..1bb46713 100644 --- a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator +++ b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator @@ -12,6 +12,8 @@ profile systemd-xdg-autostart-generator @{exec_path} { include include + capability net_admin, + @{exec_path} mr, /etc/xdg/autostart/{,*.desktop} r, diff --git a/apparmor.d/profiles-a-l/aa-status b/apparmor.d/profiles-a-l/aa-status index c167323a..453ba8dd 100644 --- a/apparmor.d/profiles-a-l/aa-status +++ b/apparmor.d/profiles-a-l/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aa-status +@{exec_path} = /{usr/,}{s,}bin/aa-status profile aa-status @{exec_path} { include @@ -22,6 +22,7 @@ profile aa-status @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/profiles-a-l/auditd b/apparmor.d/profiles-a-l/auditd index 066d32c7..d89d1c5c 100644 --- a/apparmor.d/profiles-a-l/auditd +++ b/apparmor.d/profiles-a-l/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/auditd +@{exec_path} = /{usr/,}{s,}bin/auditd profile auditd @{exec_path} { include include diff --git a/apparmor.d/profiles-a-l/borg b/apparmor.d/profiles-a-l/borg index 4cb1f4ae..a4ab6256 100644 --- a/apparmor.d/profiles-a-l/borg +++ b/apparmor.d/profiles-a-l/borg @@ -62,6 +62,8 @@ profile borg @{exec_path} { owner /tmp/* rw, owner /tmp/tmp*/ rw, owner /tmp/tmp*/idx rw, + owner /tmp/borg-cache-*/ rw, + owner /tmp/borg-cache-*/* rw, owner /var/tmp/* rw, owner /var/tmp/tmp*/ rw, owner /var/tmp/tmp*/idx rw, @@ -111,10 +113,16 @@ profile borg @{exec_path} { /{usr/,}bin/fusermount{,3} mr, + /etc/fuse.conf r, + umount @{MOUNTS}/*/, umount @{MOUNTS}/*/*/, + owner @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, } + include if exists include if exists } diff --git a/apparmor.d/profiles-a-l/dhclient-script b/apparmor.d/profiles-a-l/dhclient-script index 9ef5cf5d..cd152a9f 100644 --- a/apparmor.d/profiles-a-l/dhclient-script +++ b/apparmor.d/profiles-a-l/dhclient-script @@ -13,6 +13,8 @@ profile dhclient-script @{exec_path} { include include + capability sys_admin, + # Needed? audit deny capability sys_module, @@ -20,7 +22,9 @@ profile dhclient-script @{exec_path} { /{usr/,}bin/{,ba,da}sh mrix, + /{usr/,}bin/mkdir rix, /{usr/,}bin/ping rPx, + /{usr/,}bin/chronyc rPUx, /{usr/,}bin/run-parts rCx -> run-parts, # To remove the following error: @@ -82,6 +86,9 @@ profile dhclient-script @{exec_path} { # For ntpd/ntpsec @{run}/systemd/netif/leases/ r, + # For chrony + @{run}/chrony-dhcp/ rw, + # file_inherit /var/lib/dhcp/dhclient.leases r, diff --git a/apparmor.d/profiles-a-l/eject b/apparmor.d/profiles-a-l/eject index 2b1e6ea7..c0fa5e36 100644 --- a/apparmor.d/profiles-a-l/eject +++ b/apparmor.d/profiles-a-l/eject @@ -11,6 +11,7 @@ profile eject @{exec_path} { include include + capability sys_admin, capability sys_rawio, @{exec_path} mr, @@ -24,5 +25,7 @@ profile eject @{exec_path} { /etc/fstab r, + @{run}/mount/utab r, + include if exists } diff --git a/apparmor.d/profiles-a-l/gio-querymodules b/apparmor.d/profiles-a-l/gio-querymodules index ee711c86..b01e0e3e 100644 --- a/apparmor.d/profiles-a-l/gio-querymodules +++ b/apparmor.d/profiles-a-l/gio-querymodules @@ -15,9 +15,5 @@ profile gio-querymodules @{exec_path} { /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, - # Silencer - deny network inet6 stream, - deny network inet stream, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/gtk-query-immodules b/apparmor.d/profiles-a-l/gtk-query-immodules index 710add22..641de778 100644 --- a/apparmor.d/profiles-a-l/gtk-query-immodules +++ b/apparmor.d/profiles-a-l/gtk-query-immodules @@ -15,7 +15,7 @@ profile gtk-query-immodules @{exec_path} { /{usr/,}lib/gtk-{3,4}.0/**/immodules.cache w, /{usr/,}lib/gtk-{3,4}.0/**/immodules.cache.[0-9A-Z]* w, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-a-l/ifup b/apparmor.d/profiles-a-l/ifup index a495d26a..3c4283d9 100644 --- a/apparmor.d/profiles-a-l/ifup +++ b/apparmor.d/profiles-a-l/ifup @@ -53,6 +53,7 @@ profile ifup @{exec_path} { /etc/network/if-post-down.d/ r, /etc/network/if-post-down.d/bridge rPUx, /etc/network/if-post-down.d/hostapd rPUx, + /etc/network/if-post-down.d/chrony rPUx, /etc/hostapd/ifupdown.sh rPUx, /etc/network/if-post-down.d/ifenslave rPUx, /etc/network/if-post-down.d/macchanger rPUx, @@ -75,6 +76,7 @@ profile ifup @{exec_path} { /etc/network/if-up.d/ r, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, + /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/wpasupplicant rPUx, diff --git a/apparmor.d/profiles-a-l/install-info b/apparmor.d/profiles-a-l/install-info index 41c679cc..a541546c 100644 --- a/apparmor.d/profiles-a-l/install-info +++ b/apparmor.d/profiles-a-l/install-info @@ -22,7 +22,7 @@ profile install-info @{exec_path} { /dev/tty rw, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-m-z/run-parts b/apparmor.d/profiles-m-z/run-parts index 410f1666..d8e5a02f 100644 --- a/apparmor.d/profiles-m-z/run-parts +++ b/apparmor.d/profiles-m-z/run-parts @@ -50,6 +50,8 @@ profile run-parts @{exec_path} { /{usr/,}bin/uname rix, /{usr/,}bin/cat rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + } profile kernel-pre-post { diff --git a/apparmor.d/profiles-m-z/update-ca-trust b/apparmor.d/profiles-m-z/update-ca-trust index bffe6746..caa578b8 100644 --- a/apparmor.d/profiles-m-z/update-ca-trust +++ b/apparmor.d/profiles-m-z/update-ca-trust @@ -32,7 +32,7 @@ profile update-ca-trust @{exec_path} { /dev/tty rw, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-m-z/update-desktop-database b/apparmor.d/profiles-m-z/update-desktop-database index 9e50d44d..e6eeff77 100644 --- a/apparmor.d/profiles-m-z/update-desktop-database +++ b/apparmor.d/profiles-m-z/update-desktop-database @@ -20,7 +20,7 @@ profile update-desktop-database @{exec_path} { /usr/share/*/*.desktop r, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-m-z/update-mime-database b/apparmor.d/profiles-m-z/update-mime-database index 0e05d5e6..aba54fab 100644 --- a/apparmor.d/profiles-m-z/update-mime-database +++ b/apparmor.d/profiles-m-z/update-mime-database @@ -14,7 +14,7 @@ profile update-mime-database @{exec_path} { /usr/share/mime/{,**} rw, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-m-z/vlc-cache-gen b/apparmor.d/profiles-m-z/vlc-cache-gen index a275dad9..52fa5c27 100644 --- a/apparmor.d/profiles-m-z/vlc-cache-gen +++ b/apparmor.d/profiles-m-z/vlc-cache-gen @@ -15,7 +15,7 @@ profile vlc-cache-gen @{exec_path} { /{usr/,}lib/vlc/plugins/{,*} rw, - # Silencer + # Inherit silencer deny network inet6 stream, deny network inet stream,