From b2fa7bacb8e4a71cdd1aab97bbf2e70626a5257a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 1 Sep 2023 22:50:43 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/apt-methods-gpgv | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 1 + .../groups/gnome/gnome-extension-gsconnect | 5 ++ apparmor.d/groups/gnome/gnome-software | 4 +- apparmor.d/groups/ssh/ssh-agent | 2 +- apparmor.d/groups/systemd/journalctl | 2 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-udevd | 42 +++++++++----- apparmor.d/profiles-a-f/apparmor.systemd | 4 +- apparmor.d/profiles-a-f/dkms | 3 +- apparmor.d/profiles-a-f/dkms-autoinstaller | 3 +- apparmor.d/profiles-m-r/protonmail-bridge | 1 - apparmor.d/profiles-m-r/rngd | 7 +-- apparmor.d/profiles-s-z/snap-failure | 9 +++ apparmor.d/profiles-s-z/w | 3 + apparmor.d/profiles-s-z/whereis | 19 +++---- apparmor.d/profiles-s-z/which | 15 +++-- apparmor.d/profiles-s-z/whiptail | 2 +- apparmor.d/profiles-s-z/x11-xsession | 55 ++++++++----------- 19 files changed, 108 insertions(+), 72 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index b4c111e6..cd1a9e34 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -73,8 +73,8 @@ profile apt-methods-gpgv @{exec_path} { /var/lib/apt/lists/{,**} r, /var/lib/dpkg/arch r, /var/lib/extrepo/keys/*.{gpg,asc} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} rw, owner /var/lib/apt/lists/{,**} rw, - owner /var/lib/ubuntu-advantage/apt-esm/{,**} rw, owner /var/lib/apt/lists/partial/* rw, # For package building diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index c3a188fc..fa3f9251 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -141,6 +141,7 @@ profile pulseaudio @{exec_path} { @{lib}/@{multiarch}/pulse/gconf-helper mrix, @{lib}/pulse-*/modules/*.so mr, + /usr/share/ladspa/rdf/{,*} r, /usr/share/pulseaudio/{,**} r, /var/lib/snapd/desktop/applications/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index c4353f48..87273aed 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -44,6 +44,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, @@ -61,6 +64,8 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/pulse/cookie rk, + owner @{user_share_dirs}/ r, + owner @{run}/user/@{uid}/gsconnect/ w, owner @{run}/user/@{uid}/pulse/ r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index faa955aa..9726777d 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -81,7 +81,9 @@ profile gnome-software @{exec_path} { owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/repo/{,**} rw, + owner @{user_share_dirs}/flatpak/.changed w, + owner @{user_share_dirs}/flatpak/repo/ rw, + owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, owner /tmp/ostree-gpg-*/ rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index dc48cebb..9636acb8 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -39,7 +39,7 @@ profile ssh-agent @{exec_path} { @{run}/user/@{uid}/keyring/.ssh rw, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index a655d650..da633a70 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -16,9 +16,11 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, + capability mknod, capability net_admin, capability sys_resource, + signal (receive) set=(term) peer=cockpit-bridge, signal (send) peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b3dc716c..315306ff 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters @{run}/udev/data/c29:[0-9]* r, # For CD-ROM @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 4f8638cd..308b4788 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,7 +33,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { network inet6 dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @@ -50,21 +50,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/setfacl rix, @{bin}/snap rPx, @{bin}/unshare rix, + @{bin}/lvm rPx, + @{bin}/touch rix, - @{bin}/* rpux, - audit @{bin}/lvm rux, - - @{lib}/pm-utils/power.d/* rPUx, - @{lib}/snapd/snap-device-helper rPx, - @{lib}/crda/* rPUx, - @{lib}/gdm-runtime-config rPx, - @{lib}/systemd/systemd-* rPx, - @{lib}/nfsrahead rPUx, - @{lib}/udev/* rPUx, + @{bin}/systemctl rCx -> systemctl, + @{lib}/crda/* rPUx, + @{lib}/gdm-runtime-config rPx, + @{lib}/nfsrahead rPUx, @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/pm-utils/power.d/* rPUx, + @{lib}/snapd/snap-device-helper rPx, + @{lib}/systemd/systemd-* rPx, + @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, + /etc/console-setup/*.sh rPUx, /etc/network/cloud-ifupdown-helper rPUx, /etc/machine-id r, @@ -110,5 +110,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { deny /apparmor/.null rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{bin}/systemctl mr, + + / r, + + @{PROC}/sys/kernel/cap_last_cap r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index 470d7011..653a9bd4 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +9,10 @@ include @{exec_path} = @{lib}/apparmor/apparmor.systemd profile apparmor.systemd @{exec_path} flags=(complain) { include + include include + capability dac_read_search, capability mac_admin, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a494dc5d..b38c9213 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -22,7 +22,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { unix (receive) type=stream, - @{exec_path} r, + @{exec_path} rm, + @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ac421cbc..ef899622 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -12,7 +12,8 @@ profile dkms-autoinstaller @{exec_path} { include include - @{exec_path} r, + @{exec_path} rm, + @{bin}/{,ba,da}sh rix, @{bin}/dkms rPx, @{bin}/echo rix, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index eb897f54..36c87ae0 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -45,7 +45,6 @@ profile protonmail-bridge @{exec_path} { @{bin}/base64 rix, @{bin}/dirname rix, @{bin}/env rix, - @{bin}/env rix, @{bin}/getopt rix, @{bin}/git rPx -> pass//git, @{bin}/gpg{,2} rPx -> pass//gpg, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 5eb88292..41de3f47 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -14,18 +14,17 @@ profile rngd @{exec_path} { include include - @{exec_path} mr, - capability dac_read_search, capability sys_admin, capability sys_nice, network netlink raw, - /etc/conf.d/rngd r, - /etc/opensc.conf r, + @{exec_path} mr, + /etc/conf.d/rngd r, /etc/machine-id r, + /etc/opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 511dc8c2..00759882 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -12,5 +12,14 @@ profile snap-failure @{exec_path} { @{exec_path} mr, + @{bin}/systemctl rCx -> child-systemctl, + /snap/snapd/@{int}@{lib}/snapd/snapd rPx, + + /var/lib/snapd/sequence/snapd.json r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/cmdline r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 9931e9e7..f9b61886 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -20,6 +20,9 @@ profile w @{exec_path} { @{exec_path} mr, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/ r, @{PROC}/uptime r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index b69fe2fc..b8469979 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -8,36 +8,35 @@ abi , include @{exec_path} = @{bin}/whereis -profile whereis @{exec_path} flags=(complain) { +profile whereis @{exec_path} { include include @{exec_path} mr, - /{usr/,}{local/,}{s,}bin/{,*/} r, - /{usr/,}{local/,}games/ r, - @{lib}/go-*/bin/ r, - + @{bin}/{,*/} r, @{lib}/ r, - /usr/{local/,}{,etc/,lib/} r, + @{lib}/go-*/bin/ r, + /usr/{local/,}games/ r, /usr/include/ r, + /usr/local/{,etc/,lib/} r, + /usr/local/{s,}bin/{,*/} r, /usr/share/ r, /usr/share/info/{**,} r, /usr/share/man/{**,} r, /usr/src/{**,} r, - /etc/ r, - /opt/ r, /opt/cni/bin/ r, /opt/containerd/bin/ r, + /etc/ r, + /snap/bin/ r, /var/lib/flatpak/exports/bin/ r, - owner @{HOME}/.krew/bin/ r, owner @{HOME}/{.,}go/bin/ r, - owner @{HOME}/{.local/,}{.,}bin/ r, + owner @{user_bin_dirs}/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index b317fadd..389952d9 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,18 +16,22 @@ profile which @{exec_path} { @{bin}/{,ba,da}sh rix, - /{usr/,}{local/,}{s,}bin/ r, + @{bin}/{,*/} r, + @{lib}/ r, @{lib}/go-*/bin/ r, - /{usr/,}{local/,}games/ r, + /usr/{local/,}games/ r, + /usr/include/ r, + /usr/local/{,etc/,lib/} r, + /usr/local/{s,}bin/{,*/} r, /opt/cni/bin/ r, /opt/containerd/bin/ r, /snap/bin/ r, + /var/lib/flatpak/exports/bin/ r, - owner @{HOME}/{.local/,}/{.,}bin/ r, - owner @{HOME}/.krew/bin/ r, - owner @{HOME}/go/bin/ r, + owner @{HOME}/{.,}go/bin/ r, + owner @{user_bin_dirs}/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 9a54992a..c6166601 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -16,7 +16,7 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.ubuntu r, + /etc/newt/palette.* r, owner /tmp/gpm* w, diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index d57ff74f..ee78404a 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,23 +11,24 @@ include profile x11-xsession @{exec_path} { include include + include @{exec_path} r, - @{bin}/{,ba,da}sh rix, - @{bin}/rm rix, - @{bin}/touch rix, + @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, - @{bin}/id rix, @{bin}/chmod rix, @{bin}/date rix, - @{bin}/{m,g,}awk rix, - @{bin}/tempfile rix, - @{bin}/sed rix, - @{bin}/head rix, @{bin}/fold rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tempfile rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @@ -41,36 +43,29 @@ profile x11-xsession @{exec_path} { @{bin}/glxinfo rPx, # Allowed GUI sessions to start - @{bin}/openbox-session rPx, - @{bin}/enlightenment_start rPUx, - @{bin}/sway rPUx, - @{bin}/ssh-agent rPx, - - owner /tmp/file* rw, + @{bin}/openbox-session rPx, + @{bin}/enlightenment_start rPUx, + @{bin}/sway rPUx, + @{bin}/ssh-agent rPx, /etc/default/{,*} r, - /etc/X11/{,**} r, - - owner @{HOME}/.Xauthority r, - - # Xsession logs - owner @{HOME}/.xsession-errors w, - + owner /tmp/file* rw, profile run-parts { include @{bin}/run-parts mr, - /etc/X11/Xsession.d/ r, - /etc/X11/Xresources/ r, + /etc/X11/Xsession.d/{,*} r, + /etc/X11/Xresources/{,*} r, /etc/default/kexec.d/ r, # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } profile dbus { @@ -81,6 +76,7 @@ profile x11-xsession @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } profile gpg { @@ -95,23 +91,17 @@ profile x11-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, + include if exists } profile udevadm { include + include @{bin}/udevadm mr, /etc/udev/udev.conf r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/ r, @@ -119,6 +109,7 @@ profile x11-xsession @{exec_path} { @{sys}/devices/**/uevent r, @{run}/udev/data/* r, + include if exists } include if exists