From b5fbef8eefe2cef29478cc97612c70370df19956 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 8 Oct 2023 14:00:21 +0100 Subject: [PATCH] feat(profiles): general update. --- .../groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/pacman/mkinitcpio | 3 +- apparmor.d/groups/pacman/pacman | 1 - apparmor.d/groups/systemd/systemd-timedated | 7 ++- apparmor.d/profiles-a-f/chronyd | 36 ++++++++++++-- apparmor.d/profiles-a-f/element | 2 + apparmor.d/profiles-g-l/logrotate | 1 + apparmor.d/profiles-m-r/nvtop | 1 + apparmor.d/profiles-m-r/passimd | 4 ++ apparmor.d/profiles-s-z/snapd | 4 +- apparmor.d/profiles-s-z/sudo | 2 +- apparmor.d/profiles-s-z/thunderbird-vaapitest | 2 + apparmor.d/profiles-s-z/udisksd | 1 + apparmor.d/profiles-s-z/userdel | 4 +- apparmor.d/profiles-s-z/usermod | 25 ++++------ apparmor.d/profiles-s-z/vlc | 1 + apparmor.d/profiles-s-z/warzone2100 | 48 ------------------- 17 files changed, 62 insertions(+), 82 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/warzone2100 diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 623b1779..818ecff8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -120,7 +120,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /usr/share/pipewire/client.conf r, - /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + /usr/share/xdg-desktop-portal/** r, /etc/pipewire/client.conf.d/ r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 69b47afe..1cacb88a 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -17,6 +17,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, + network unix stream, + @{exec_path} rmix, @{bin}/{,ba}sh rix, @@ -117,7 +119,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { deny /apparmor/.null rw, deny network inet stream, deny network inet6 stream, - deny unix (receive) type=stream, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 3f86cd7e..958f3ad4 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -159,7 +159,6 @@ profile pacman @{exec_path} { # Silencer, deny @{HOME}/ r, deny /tmp/ r, - deny unix (receive) type=stream, profile gpg { include diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 7b03073d..b2beaae9 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -27,13 +27,10 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={Get,GetAll}, - dbus bind bus=system - name=org.freedesktop.timedate[0-9], + dbus bind bus=system name=org.freedesktop.timedate[0-9], @{exec_path} mr, - /dev/rtc[0-9] r, - @{etc_rw}/.#adjtime* rw, @{etc_rw}/adjtime rw, @@ -45,5 +42,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify rw, + /dev/rtc@{int} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index dc2cc393..01e173e3 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -2,6 +2,8 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd + abi , include @@ -11,11 +13,16 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { include include + capability chown, capability dac_override, capability dac_read_search, + capability net_admin, capability net_bind_service, + capability net_raw, capability setgid, capability setuid, + capability sys_nice, + capability sys_resource, capability sys_time, network inet dgram, @@ -24,14 +31,33 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/chrony.conf r, + /etc/adjtime r, + /etc/chrony.* r, /etc/chrony.d/{,*} r, + /etc/chrony/{,**} r, - /var/lib/chrony/drift* rw, + /var/lib/chrony/{,*} rw, + /var/log/chrony/{,*} rw, - @{run}/chrony-dhcp/ r, - @{run}/chrony/chronyd.pid rw, - @{run}/chrony/chronyd.sock rw, + # To sign replies to MS-SNTP clients by the smbd daemon + /var/lib/samba/ntp_signd/socket rw, + + @{run}/chrony-dhcp/{,*} r, + @{run}/chrony.*.sock rw, + @{run}/chrony/{,*} rw, + + # Allow reading the chronyd configuration file that timemaster(8) generates + @{run}/timemaster/chrony.conf r, + + # Using the “tempcomp” directive gives chronyd the ability to improve + # the stability and accuracy of the clock by compensating the temperature + # changes measured by a sensor close to the oscillator. + @{sys}/class/hwmon/hwmon@{int}/temp@{int}_input r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp@{int}_input r, + + /dev/pps@{int} rw, + /dev/ptp@{int} rw, + /dev/rtc{,@{int}} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/element b/apparmor.d/profiles-a-f/element index e3589107..1fac85f9 100644 --- a/apparmor.d/profiles-a-f/element +++ b/apparmor.d/profiles-a-f/element @@ -84,6 +84,8 @@ profile element @{exec_path} { owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty rw, + deny / r, deny @{HOME}/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 83b53d68..c9783723 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -35,6 +35,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, + @{bin}/setfacl rix, @{bin}/shred rix, @{bin}/xz rix, @{bin}/zstd rix, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 56fdddab..5c270a5d 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -50,6 +50,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/char/509:@{int} w, /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 40e4d0ed..e725ecfe 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -24,8 +24,12 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r, + /etc/passim.conf r, + /var/lib/passim/{,**} r, /var/lib/passim/data/{,**} rw, + @{PROC}/@{pid}/cmdline r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 8e2f2ae9..84d34247 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -39,8 +39,8 @@ profile snapd @{exec_path} { network inet6 dgram, network netlink raw, - mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, - umount /tmp/syscheck-mountpoint-[0-9]*/, + mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/, + umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, ptrace (read) peer=snap, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0280c78f..c34c8de7 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -37,7 +37,7 @@ profile sudo @{exec_path} { signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, - signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot}, + signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot,pacman}, signal (send,receive) peer=cockpit-bridge, dbus send bus=system path=/org/freedesktop/login[0-9] diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index e5c5f9e6..7739c01e 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -9,6 +9,7 @@ include @{name} = thunderbird{,-bin} @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{HOME}/.@{name}/ +@{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{lib_dirs}/vaapitest profile thunderbird-vaapitest @{exec_path} { @@ -29,6 +30,7 @@ profile thunderbird-vaapitest @{exec_path} { @{sys}/devices/@{pci}/{irq,resource,revision} r, + deny @{cache_dirs}/*/startupCache/** r, deny @{config_dirs}/*/.parentlock rw, deny @{config_dirs}/*/startupCache/** r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 334a45c7..ab62573b 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -123,6 +123,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /var/lib/udisks2/mounted-fs{,*} rw, # Be able to create/delete dirs for removable media + @{MOUNTDIRS}/ rw, @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 7dd95453..182a770b 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -20,10 +20,10 @@ profile userdel @{exec_path} flags=(attach_disconnected) { capability fsetid, capability sys_ptrace, - ptrace (read), - network netlink raw, + ptrace (read), + @{exec_path} mr, /etc/login.defs r, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index 101e26a5..39211dbc 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,31 +13,23 @@ profile usermod @{exec_path} flags=(attach_disconnected) { include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, - capability fsetid, - - # To read user home files and change their user/group. - # usermod: Failed to change ownership of the home directory capability dac_read_search, - - # To move user home files to a new location. capability fowner, - - # To prevent removing a user when it's used by some process. + capability fsetid, capability sys_ptrace, - ptrace (read), network netlink raw, + ptrace (read), + @{exec_path} mr, @{bin}/nscd rix, /etc/login.defs r, + /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} w, @@ -52,16 +45,14 @@ profile usermod @{exec_path} flags=(attach_disconnected) { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, - /etc/subuid r, - - @{PROC}/ r, - @{PROC}/@{pids}/task/ r, - # To create and move user dirs @{HOME}/{,**} rw, /var/ r, /var/lib/ r, /var/lib/*/{,**} rw, + @{PROC}/ r, + @{PROC}/@{pids}/task/ r, + include if exists } diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 28840870..cdee0d5f 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -21,6 +21,7 @@ profile vlc @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/warzone2100 b/apparmor.d/profiles-s-z/warzone2100 deleted file mode 100644 index edaedf32..00000000 --- a/apparmor.d/profiles-s-z/warzone2100 +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/warzone2100 -profile warzone2100 @{exec_path} { - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - deny ptrace (read), - - @{exec_path} mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/which{,.debianutils} rix, - - owner @{user_share_dirs}/warzone2100-*/ rw, - owner @{user_share_dirs}/warzone2100-*/** rw, - - # What's this for? - deny owner @{user_share_dirs}/applications/*.desktop w, - - /usr/share/warzone2100/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - deny @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - - include if exists -}