mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-01 22:50:43 +01:00
parent 0c151259d2
commit b2fa7bacb8
Failed to generate hash of commit
19 changed files with 108 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -73,8 +73,8 @@ profile apt-methods-gpgv @{exec_path} {
/var/lib/apt/lists/{,**} r, /var/lib/apt/lists/{,**} r,
/var/lib/dpkg/arch r, /var/lib/dpkg/arch r,
/var/lib/extrepo/keys/*.{gpg,asc} r, /var/lib/extrepo/keys/*.{gpg,asc} r,
/var/lib/ubuntu-advantage/apt-esm/{,**} rw,
owner /var/lib/apt/lists/{,**} rw, owner /var/lib/apt/lists/{,**} rw,
owner /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
# For package building # For package building

1
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -141,6 +141,7 @@ profile pulseaudio @{exec_path} {
@{lib}/@{multiarch}/pulse/gconf-helper mrix, @{lib}/@{multiarch}/pulse/gconf-helper mrix,
@{lib}/pulse-*/modules/*.so mr, @{lib}/pulse-*/modules/*.so mr,
/usr/share/ladspa/rdf/{,*} r,
/usr/share/pulseaudio/{,**} r, /usr/share/pulseaudio/{,**} r,
/var/lib/snapd/desktop/applications/ r, /var/lib/snapd/desktop/applications/ r,

5
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -44,6 +44,9 @@ profile gnome-extension-gsconnect @{exec_path} {
@{lib}/gio/modules/*.so* rm, @{lib}/gio/modules/*.so* rm,
@{lib}/girepository-1.0/* r, @{lib}/girepository-1.0/* r,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{share_dirs}/{,**} r, @{share_dirs}/{,**} r,
@{share_dirs}/gsconnect-preferences rix, @{share_dirs}/gsconnect-preferences rix,
@ -61,6 +64,8 @@ profile gnome-extension-gsconnect @{exec_path} {
owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/pulse/client.conf r,
owner @{user_config_dirs}/pulse/cookie rk, owner @{user_config_dirs}/pulse/cookie rk,
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/gsconnect/ w, owner @{run}/user/@{uid}/gsconnect/ w,
owner @{run}/user/@{uid}/pulse/ r, owner @{run}/user/@{uid}/pulse/ r,

4
apparmor.d/groups/gnome/gnome-software
View file

@ -81,7 +81,9 @@ profile gnome-software @{exec_path} {
owner @{user_config_dirs}/pulse/*.conf r, owner @{user_config_dirs}/pulse/*.conf r,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/flatpak/repo/{,**} rw, owner @{user_share_dirs}/flatpak/.changed w,
owner @{user_share_dirs}/flatpak/repo/ rw,
owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{user_share_dirs}/gnome-software/{,**} rw,
owner /tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/ rw,

2
apparmor.d/groups/ssh/ssh-agent
View file

@ -39,7 +39,7 @@ profile ssh-agent @{exec_path} {
@{run}/user/@{uid}/keyring/.ssh rw, @{run}/user/@{uid}/keyring/.ssh rw,
@{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w,
owner /dev/tty@{int} rw, /dev/tty@{int} rw,
include if exists <local/ssh-agent> include if exists <local/ssh-agent>
} }

2
apparmor.d/groups/systemd/journalctl
View file

@ -16,9 +16,11 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
capability mknod,
capability net_admin, capability net_admin,
capability sys_resource, capability sys_resource,
signal (receive) set=(term) peer=cockpit-bridge,
signal (send) peer=child-pager, signal (send) peer=child-pager,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/systemd/systemd-journald
View file

@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
@{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters
@{run}/udev/data/c29:[0-9]* r, # For CD-ROM @{run}/udev/data/c29:[0-9]* r, # For CD-ROM
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254

42
apparmor.d/groups/systemd/systemd-udevd
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -33,7 +33,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mrix,
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@ -50,21 +50,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{bin}/setfacl rix, @{bin}/setfacl rix,
@{bin}/snap rPx, @{bin}/snap rPx,
@{bin}/unshare rix, @{bin}/unshare rix,
@{bin}/lvm rPx,
@{bin}/touch rix,
@{bin}/* rpux, @{bin}/systemctl rCx -> systemctl,
audit @{bin}/lvm rux, @{lib}/crda/* rPUx,
@{lib}/gdm-runtime-config rPx,
@{lib}/pm-utils/power.d/* rPUx, @{lib}/nfsrahead rPUx,
@{lib}/snapd/snap-device-helper rPx,
@{lib}/crda/* rPUx,
@{lib}/gdm-runtime-config rPx,
@{lib}/systemd/systemd-* rPx,
@{lib}/nfsrahead rPUx,
@{lib}/udev/* rPUx,
@{lib}/open-iscsi/net-interface-handler rPUx, @{lib}/open-iscsi/net-interface-handler rPUx,
@{lib}/pm-utils/power.d/* rPUx,
@{lib}/snapd/snap-device-helper rPx,
@{lib}/systemd/systemd-* rPx,
@{lib}/udev/* rPUx,
/usr/share/hplip/config_usb_printer.py rPUx, /usr/share/hplip/config_usb_printer.py rPUx,
/etc/console-setup/*.sh rPUx, /etc/console-setup/*.sh rPUx,
/etc/network/cloud-ifupdown-helper rPUx, /etc/network/cloud-ifupdown-helper rPUx,
/etc/machine-id r, /etc/machine-id r,
@ -110,5 +110,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
deny /apparmor/.null rw, deny /apparmor/.null rw,
profile systemctl {
include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin,
capability sys_ptrace,
@{bin}/systemctl mr,
/ r,
@{PROC}/sys/kernel/cap_last_cap r,
include if exists <local/systemd-udevd_systemctl>
}
include if exists <local/systemd-udevd> include if exists <local/systemd-udevd>
} }

4
apparmor.d/profiles-a-f/apparmor.systemd
View file

@ -1,5 +1,5 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,8 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/apparmor/apparmor.systemd @{exec_path} = @{lib}/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) { profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
capability mac_admin, capability mac_admin,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/profiles-a-f/dkms
View file

@ -22,7 +22,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
unix (receive) type=stream, unix (receive) type=stream,
@{exec_path} r, @{exec_path} rm,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cp rix, @{bin}/cp rix,
@{bin}/cut rix, @{bin}/cut rix,

3
apparmor.d/profiles-a-f/dkms-autoinstaller
View file

@ -12,7 +12,8 @@ profile dkms-autoinstaller @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} r, @{exec_path} rm,
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/dkms rPx, @{bin}/dkms rPx,
@{bin}/echo rix, @{bin}/echo rix,

1
apparmor.d/profiles-m-r/protonmail-bridge
View file

@ -45,7 +45,6 @@ profile protonmail-bridge @{exec_path} {
@{bin}/base64 rix, @{bin}/base64 rix,
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/env rix, @{bin}/env rix,
@{bin}/env rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/git rPx -> pass//git, @{bin}/git rPx -> pass//git,
@{bin}/gpg{,2} rPx -> pass//gpg, @{bin}/gpg{,2} rPx -> pass//gpg,

7
apparmor.d/profiles-m-r/rngd
View file

@ -14,18 +14,17 @@ profile rngd @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
@{exec_path} mr,
capability dac_read_search, capability dac_read_search,
capability sys_admin, capability sys_admin,
capability sys_nice, capability sys_nice,
network netlink raw, network netlink raw,
/etc/conf.d/rngd r, @{exec_path} mr,
/etc/opensc.conf r,
/etc/conf.d/rngd r,
/etc/machine-id r, /etc/machine-id r,
/etc/opensc.conf r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
@{sys}/devices/virtual/misc/hw_random/rng_available r, @{sys}/devices/virtual/misc/hw_random/rng_available r,

9
apparmor.d/profiles-s-z/snap-failure
View file

@ -12,5 +12,14 @@ profile snap-failure @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/systemctl rCx -> child-systemctl,
/snap/snapd/@{int}@{lib}/snapd/snapd rPx,
/var/lib/snapd/sequence/snapd.json r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/cmdline r,
include if exists <local/snap-failure> include if exists <local/snap-failure>
} }

3
apparmor.d/profiles-s-z/w
View file

@ -20,6 +20,9 @@ profile w @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,

19
apparmor.d/profiles-s-z/whereis
View file

@ -8,36 +8,35 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/whereis @{exec_path} = @{bin}/whereis
profile whereis @{exec_path} flags=(complain) { profile whereis @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{local/,}{s,}bin/{,*/} r, @{bin}/{,*/} r,
/{usr/,}{local/,}games/ r,
@{lib}/go-*/bin/ r,
@{lib}/ r, @{lib}/ r,
/usr/{local/,}{,etc/,lib/} r, @{lib}/go-*/bin/ r,
/usr/{local/,}games/ r,
/usr/include/ r, /usr/include/ r,
/usr/local/{,etc/,lib/} r,
/usr/local/{s,}bin/{,*/} r,
/usr/share/ r, /usr/share/ r,
/usr/share/info/{**,} r, /usr/share/info/{**,} r,
/usr/share/man/{**,} r, /usr/share/man/{**,} r,
/usr/src/{**,} r, /usr/src/{**,} r,
/etc/ r,
/opt/ r, /opt/ r,
/opt/cni/bin/ r, /opt/cni/bin/ r,
/opt/containerd/bin/ r, /opt/containerd/bin/ r,
/etc/ r,
/snap/bin/ r, /snap/bin/ r,
/var/lib/flatpak/exports/bin/ r, /var/lib/flatpak/exports/bin/ r,
owner @{HOME}/.krew/bin/ r,
owner @{HOME}/{.,}go/bin/ r, owner @{HOME}/{.,}go/bin/ r,
owner @{HOME}/{.local/,}{.,}bin/ r, owner @{user_bin_dirs}/ r,
include if exists <local/whereis> include if exists <local/whereis>
} }

15
apparmor.d/profiles-s-z/which
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,18 +16,22 @@ profile which @{exec_path} {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
/{usr/,}{local/,}{s,}bin/ r, @{bin}/{,*/} r,
@{lib}/ r,
@{lib}/go-*/bin/ r, @{lib}/go-*/bin/ r,
/{usr/,}{local/,}games/ r, /usr/{local/,}games/ r,
/usr/include/ r,
/usr/local/{,etc/,lib/} r,
/usr/local/{s,}bin/{,*/} r,
/opt/cni/bin/ r, /opt/cni/bin/ r,
/opt/containerd/bin/ r, /opt/containerd/bin/ r,
/snap/bin/ r, /snap/bin/ r,
/var/lib/flatpak/exports/bin/ r,
owner @{HOME}/{.local/,}/{.,}bin/ r, owner @{HOME}/{.,}go/bin/ r,
owner @{HOME}/.krew/bin/ r, owner @{user_bin_dirs}/ r,
owner @{HOME}/go/bin/ r,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/profiles-s-z/whiptail
View file

@ -16,7 +16,7 @@ profile whiptail @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/etc/newt/palette.ubuntu r, /etc/newt/palette.* r,
owner /tmp/gpm* w, owner /tmp/gpm* w,

55
apparmor.d/profiles-s-z/x11-xsession
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,23 +11,24 @@ include <tunables/global>
profile x11-xsession @{exec_path} { profile x11-xsession @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/X-strict>
@{exec_path} r, @{exec_path} r,
@{bin}/{,ba,da}sh rix,
@{bin}/rm rix, @{bin}/{,ba,da}sh rix,
@{bin}/touch rix,
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/which{,.debianutils} rix,
@{bin}/id rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/date rix, @{bin}/date rix,
@{bin}/{m,g,}awk rix,
@{bin}/tempfile rix,
@{bin}/sed rix,
@{bin}/head rix,
@{bin}/fold rix, @{bin}/fold rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/tempfile rix,
@{bin}/touch rix,
@{bin}/which{,.debianutils} rix,
@{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/dbus-update-activation-environment rCx -> dbus,
@ -41,36 +43,29 @@ profile x11-xsession @{exec_path} {
@{bin}/glxinfo rPx, @{bin}/glxinfo rPx,
# Allowed GUI sessions to start # Allowed GUI sessions to start
@{bin}/openbox-session rPx, @{bin}/openbox-session rPx,
@{bin}/enlightenment_start rPUx, @{bin}/enlightenment_start rPUx,
@{bin}/sway rPUx, @{bin}/sway rPUx,
@{bin}/ssh-agent rPx, @{bin}/ssh-agent rPx,
owner /tmp/file* rw,
/etc/default/{,*} r, /etc/default/{,*} r,
/etc/X11/{,**} r, owner /tmp/file* rw,
owner @{HOME}/.Xauthority r,
# Xsession logs
owner @{HOME}/.xsession-errors w,
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
@{bin}/run-parts mr, @{bin}/run-parts mr,
/etc/X11/Xsession.d/ r, /etc/X11/Xsession.d/{,*} r,
/etc/X11/Xresources/ r, /etc/X11/Xresources/{,*} r,
/etc/default/kexec.d/ r, /etc/default/kexec.d/ r,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
include if exists <local/x11-xsession_run-parts>
} }
profile dbus { profile dbus {
@ -81,6 +76,7 @@ profile x11-xsession @{exec_path} {
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
include if exists <local/x11-xsession_dbus>
} }
profile gpg { profile gpg {
@ -95,23 +91,17 @@ profile x11-xsession @{exec_path} {
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
include if exists <local/x11-xsession_gpg>
} }
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common>
@{bin}/udevadm mr, @{bin}/udevadm mr,
/etc/udev/udev.conf r, /etc/udev/udev.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/1/sched r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,
@{sys}/class/ r, @{sys}/class/ r,
@ -119,6 +109,7 @@ profile x11-xsession @{exec_path} {
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{run}/udev/data/* r, @{run}/udev/data/* r,
include if exists <local/x11-xsession_udevadm>
} }
include if exists <local/x11-xsession> include if exists <local/x11-xsession>