From bb1c4e053724f7f3035ec4e377dc3df40ed891ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Aug 2024 19:19:21 +0100 Subject: [PATCH] feat(profile): modernise the crontab profile. fix #428 --- apparmor.d/abstractions/app/editor | 9 ++++++--- apparmor.d/groups/cron/crontab | 10 ++++++++-- apparmor.d/profiles-a-f/flatpak | 2 ++ apparmor.d/profiles-a-f/flatpak-app | 5 +++-- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f0972f3e..023696e3 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -1,16 +1,19 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only include + @{sh_path} rix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{sh_path} rix, @{bin}/which{,.debianutils} rix, - /usr/share/vim/{,**} r, + /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, + /usr/share/vim/{,**} r, /etc/vimrc r, /etc/vim/{,**} r, @@ -19,11 +22,11 @@ owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, - # Vim swap file owner @{HOME}/ r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} r, + owner @{user_state_dirs}/nvim/{,**} rw, include if exists diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 3490199a..82d3c543 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -10,9 +10,12 @@ include @{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include + include include include + capability dac_read_search, + capability net_admin, capability setgid, capability setuid, @@ -23,15 +26,17 @@ profile crontab @{exec_path} { # When editing the crontab file @{bin}/sensible-editor rCx -> editor, @{bin}/vim.* rCx -> editor, + @{bin}/nvim rCx -> editor, /etc/cron.{allow,deny} r, /etc/pam.d/* r, /var/spool/cron/ r, /var/spool/cron/crontabs/ rw, + /var/spool/cron/user r, owner /var/spool/cron/crontabs/* rw, - owner @{tmp}/crontab.*/{,crontab} rw, + owner @{tmp}/crontab.@{rand6}/{,crontab} rw, profile editor { include @@ -42,7 +47,8 @@ profile crontab @{exec_path} { /etc/cron.{allow,deny} r, /tmp/ r, - owner @{tmp}/crontab.*/crontab rw, + owner @{tmp}/crontab.@{rand6}/crontab rw, + owner @{tmp}/crontab.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 8722612d..f6187940 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -35,6 +35,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain ptrace (read) peer=flatpak-app, + signal send peer=flatpak-app, + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 87e9b443..58d4713b 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -44,8 +44,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { ptrace (read), ptrace trace peer=flatpak-app, - signal (receive) set=(int term) peer=flatpak-portal, - signal (receive) set=(int) peer=flatpak-session-helper, + signal receive peer=flatpak, + signal receive set=(int term) peer=flatpak-portal, + signal receive set=(int) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix,