feat(profile): general update.

Also include some preparation for the systemd profile.
2025-01-18 08:58:15 +01:00 · 2023-11-19 11:08:35 +00:00 · 2023-11-19 11:08:35 +00:00 · b79a1fcd31
commit b79a1fcd31
parent 3197f52a97
31 changed files with 86 additions and 48 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

-  /var/cache/apt/ r,
+  /var/cache/apt/ rw,
  /var/cache/apt/** rwk,

  /var/crash/{,*.@{uid}.crash} rw,
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -69,6 +69,7 @@ profile child-open {
  @{bin}/engrampa          rPx,
  @{bin}/eog              rPUx,
  @{bin}/evince            rPx,
+  @{bin}/extension-manager rPx,
  @{bin}/file-roller      rPUx,
  @{bin}/filezilla         rPx,
  @{bin}/flameshot         rPx,
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{lib}/colord/colord-sane  rPx,
-  @{lib}/colord-sane          rPx,
+  @{lib}/{,colord/}colord-sane  rPx,

  /etc/machine-id r,
  /etc/udev/hwdb.bin r,
@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{run}/systemd/sessions/* r,

+  @{run}/udev/data/+pci:* r,
  @{run}/udev/data/c81:@{int}  r,         # For video4linux

  @{sys}/class/drm/ r,
  @{sys}/class/video4linux/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/uevent r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

-  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/colord>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{lib}/{,polkit-1/}polkitd
-profile polkitd @{exec_path} {
+profile polkitd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
@ -58,8 +58,8 @@ profile polkitd @{exec_path} {
  /usr/share/polkit-1/actions/*.policy r,
  /usr/share/polkit-1/actions/*.policy.choice r,

-  owner /var/lib/polkit{,-1}/.cache/ rw,
        /var/lib/polkit{,-1}/localauthority/{,**} r,
+  owner /var/lib/polkit{,-1}/.cache/ rw,

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
  /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
  /var/lib/snapd/desktop/applications/mimeinfo.cache w,

+  owner @{user_share_dirs}/.mimeinfo.cache.* rw,
+  owner @{user_share_dirs}/{,**/} r,
+  owner @{user_share_dirs}/**.desktop r,
+  owner @{user_share_dirs}/mimeinfo.cache w,
+
  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
  include <abstractions/user-download>
  include <abstractions/vulkan>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/opencl>
  include <abstractions/vulkan>

+  capability dac_override,
  capability dac_read_search,
  capability ipc_owner,
  capability perfmon,
@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  capability sys_admin,
  capability sys_rawio,

-  # These can be denied?
-  #audit capability dac_override,
-  #audit capability sys_nice,
-  #capability sys_tty_config,
-
  signal (send) set=(usr1),

  signal (receive) peer=lightdm,
--- a/apparmor.d/groups/gnome/gdm-x-session
+++ b/apparmor.d/groups/gnome/gdm-x-session
@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/Xorg              rPx,
+  @{bin}/dbus-daemon       rPx,
  @{bin}/dbus-run-session  rPx,
-  /etc/gdm{3,}/Xsession         rPx,
+  @{bin}/Xorg              rPx,
  /etc/gdm{3,}/Prime/Default    rix,
+  /etc/gdm{3,}/Xsession         rPx,

  /usr/share/gdm/gdm.schemas r,

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/pulse/client.conf r,
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
-  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
+  /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw,
  /var/lib/gdm{3,}/.local/share/icc/{,*} rw,

  /var/lib/gdm{3,}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} {
  @{etc_ro}/xdg/Xwayland-session.d/ r,
  @{etc_ro}/xdg/Xwayland-session.d/* rix,

+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm3/greeter-dconf-defaults r,

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,

--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -93,6 +93,8 @@ profile pacman @{exec_path} {
  @{bin}/perl                        rix,
  @{bin}/pkgfile                     rPUx,
  @{bin}/pkill                       rix,
+  @{bin}/mkdir                       rix,
+  @{bin}/setfacl                     rix,
  @{bin}/pwd                         rix,
  @{bin}/rm                          rix,
  @{bin}/rsync                       rix,
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,41 +11,40 @@ include <tunables/global>
 profile sshfs @{exec_path} flags=(complain) {
  include <abstractions/base>

-  @{exec_path} mr,
+  mount fstype=fuse.sshfs -> @{HOME}/*/,
+  mount fstype=fuse.sshfs -> @{HOME}/*/*/,

  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),

+  @{exec_path} mr,
+
  @{bin}/ssh            rPx,
  @{bin}/fusermount{,3} rCx -> fusermount,

-  /dev/fuse rw,
-
-  mount fstype=fuse.sshfs -> @{HOME}/*/,
-  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
-
  @{PROC}/sys/fs/pipe-max-size r,

+  /dev/fuse rw,

  profile fusermount flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

-    # To mount anything:
    capability sys_admin,

+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
+
    unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),

    @{bin}/fusermount{,3} mr,

-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
-
    /etc/fuse.conf r,

-    /dev/fuse rw,
-
    @{PROC}/@{pid}/mounts r,

+    /dev/fuse rw,
+
+    include if exists <local/sshfs_fusermount>
  }

  include if exists <local/sshfs>
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/uevent_seqnum r,
  @{sys}/devices/**/read_ahead_kb r,

+        @{PROC}/@{pid}/cgroup r,
        @{PROC}/devices r,
+        @{PROC}/pressure/* r,
        @{PROC}/sysvipc/{shm,sem,msg} r,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {

  capability sys_admin,  # To set a hostname

+  dbus bind bus=system name=org.freedesktop.hostname1,
+
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname 
+       peer=(name=:*, label=systemd//&systemd-networkd),
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName,GetConnectionUnixUser}
@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
       member=Set*Hostname
       peer=(name=:*, label=hostnamectl),

-  dbus bind bus=system
-       name=org.freedesktop.hostname[0-9],
-
  @{exec_path} mr,

  @{etc_rw}/.#hostname* rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} {
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/module/printk/parameters/time r,

-  @{PROC}/@{pids}/comm r,
-  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/attr/current r,
-  @{PROC}/@{pids}/sessionid r,
-  @{PROC}/@{pids}/loginuid r,
  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/pressure/* r,
  @{PROC}/sys/kernel/hostname r,

  /dev/kmsg rw,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  /etc/systemd/sleep.conf r,
  /etc/systemd/logind.conf.d/{,**} r,

+  / r,
  /boot/{,**} r,
  /swap/swapfile r,
  /swapfile r,
@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{PROC}/@{pid}/sessionid r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/1/cmdline r,
+  @{PROC}/pressure/* r,
  @{PROC}/swaps r,
  @{PROC}/sysvipc/{shm,sem,msg} r,

--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} {
  /etc/modules-load.d/ r,
  /etc/modules-load.d/*.conf r,

+  @{sys}/module/compression r,
+
  include if exists <local/systemd-modules-load>
 }
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/product_version r,

+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
  @{PROC}/sys/net/ipv{4,6}/** rw,

  include if exists <local/systemd-networkd>
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/resolve/{,**} rw,
  owner @{run}/systemd/journal/socket w,

+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,

+  dbus bind bus=system name=org.freedesktop.timesync1,
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

-  dbus bind bus=system name=org.freedesktop.timesync1,
-
  @{exec_path} mr,

  @{etc_rw}/adjtime r,
@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {

  owner /var/lib/systemd/timesync/clock rw,

-  owner @{run}/systemd/journal/socket w,
-  owner @{run}/systemd/timesync/synchronized rw,
        @{run}/resolvconf/*.conf r,
        @{run}/systemd/netif/state r,
        @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/timesync/synchronized rw,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,

  include if exists <local/systemd-timesyncd>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  @{sys}/** rw,

+        @{PROC}/@{pid}/mountinfo r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/devices r,
        @{PROC}/driver/nvidia/gpus/ r,
        @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/fs/nr_open r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,
-        @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/oom_score_adj rw,

  /dev/ rw,
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} {
  mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
  umount @{run}/user/@{uid}/,

-  dbus send bus=system path=/org/freedesktop/login[0-9]
+  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.DBus.Properties
       member=Get
-       peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login1),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {

  @{run}/systemd/userdb/{,**} rw,

+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
+
  include if exists <local/systemd-userdbd>
 }
--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@ -17,6 +17,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /etc/machine-id r,
+  /etc/shadow r,

  @{run}/systemd/userdb/ r,

--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /boot/EFI/*/.goutputstream-@{rand6} rw,
  /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
  /boot/EFI/*/fwupdx@{int}.efi rw,
-  @{lib}/fwupd/efi/fwupdx@{int}.efi r,
+  @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@ -25,8 +25,8 @@ profile haveged @{exec_path} {
  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  /dev/random w,

-  @{sys}/devices/system/cpu/cpu*/cache/ r,
-  @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,

  include if exists <local/haveged>
 }
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/irqbalance
-profile irqbalance @{exec_path} {
+profile irqbalance @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  capability setpcap,
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {

  @{etc_rw}/lvm/** rwkl,

+  @{run}/lock/ rw,
  @{run}/lock/lvm/ rw,
  @{run}/lock/lvm/* rwk,
  @{run}/lvm/** rwk,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  @{bin}/appstreamcli                rPx,
  @{bin}/arch-audit                  rPx, # only: arch
  @{bin}/dpkg                        rPx -> child-dpkg, # only: dpkg
+  @{bin}/fc-cache                    rPx
  @{bin}/glib-compile-schemas        rPx,
+  @{bin}/install-info                rPx 
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,
  @{lib}/apt/methods/*               rPx, # only: dpkg
  @{lib}/cnf-update-db               rPx,
  @{lib}/update-notifier/update-motd-updates-available  rPx,
  @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
-  /usr/share/libalpm/scripts/*            rPx,
+  /usr/share/libalpm/scripts/*       rPx,

  # Install/update packages
  / r,
@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {

        /tmp/apt-changelog-@{rand6}/ w,
        /tmp/apt-changelog-@{rand6}/*.changelog rw,
+  owner /tmp/alpm_*/{,**} rw,
  owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
  owner /tmp/packagekit* rw,

--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -8,13 +8,14 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/rngd
-profile rngd @{exec_path} {
+profile rngd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

  capability dac_read_search,
+  capability net_admin,
  capability sys_admin,
  capability sys_nice,

--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -94,7 +94,7 @@ profile sudo @{exec_path} {
  @{PROC}/sys/kernel/seccomp/actions_avail r,

        /dev/ r,    # interactive login
-        /dev/ptmx rw,
+        /dev/ptmx rwk,
  owner /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,