From bf22e0770f98f7c45e444f6d703847e76dd4908d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Mar 2024 22:47:36 +0000 Subject: [PATCH] feat(profile): improve integration with opensuse. --- apparmor.d/abstractions/sudo | 6 ++-- apparmor.d/groups/freedesktop/plymouthd | 2 ++ apparmor.d/groups/freedesktop/xrdb | 3 +- apparmor.d/groups/freedesktop/xset | 2 ++ apparmor.d/groups/kde/ksplashqml | 3 ++ apparmor.d/groups/kde/sddm | 14 ++++++++++ apparmor.d/groups/ssh/sshd | 1 + apparmor.d/groups/systemd/systemd-logind | 3 +- apparmor.d/profiles-a-f/agetty | 1 + apparmor.d/profiles-a-f/flatpak-system-helper | 2 +- apparmor.d/profiles-g-l/htop | 28 +++++++++++++++++-- apparmor.d/profiles-m-r/packagekitd | 2 ++ apparmor.d/profiles-m-r/passwd | 1 + apparmor.d/profiles-s-z/udisksd | 7 +++-- 14 files changed, 63 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/sudo b/apparmor.d/abstractions/sudo index 33bd8cfc..65963bc7 100644 --- a/apparmor.d/abstractions/sudo +++ b/apparmor.d/abstractions/sudo @@ -21,9 +21,9 @@ @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, - /etc/sudo.conf r, - /etc/sudoers r, - /etc/sudoers.d/{,*} r, + @{etc_ro}/sudo.conf r, + @{etc_ro}/sudoers r, + @{etc_ro}/sudoers.d/{,*} r, / r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1eaa2494..3dcabc0d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -12,6 +12,8 @@ profile plymouthd @{exec_path} { include include + capability checkpoint_restore, + capability net_admin, capability sys_admin, capability sys_chroot, capability sys_tty_config, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index c57e61d4..3170e272 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -24,8 +24,7 @@ profile xrdb @{exec_path} { /usr/include/stdc-predef.h r, - /usr/etc/X11/xdm/Xresources r, - + @{etc_ro}/X11/xdm/Xresources r, /etc/X11/Xresources/* r, # The location of the .Xresources file diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index 9a597353..18ed7bd2 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -12,6 +12,8 @@ profile xset @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index aa5c1030..ebf98abb 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -16,6 +16,9 @@ profile ksplashqml @{exec_path} { @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* rm, + /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 82c93c13..492b623f 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -73,9 +73,14 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/cat rix, @{bin}/checkproc rix, @{bin}/disable-paste rix, + @{bin}/locale rix, + @{bin}/manpath rix, @{bin}/pidof rix, + @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/tr rix, @{bin}/tty rix, + @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, @@ -117,19 +122,28 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /{usr/,}etc/security/limits.d/{,*.conf} r, /{usr/,}etc/X11/Xmodmap r, /etc/debuginfod/{,*} r, + /etc/manpath.config r, /etc/default/locale r, /etc/locale.conf r, /etc/machine-id r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/shells r, + /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, + /etc/sysconfig/language r, + /etc/sysconfig/mail r, + /etc/sysconfig/proxy r, + /etc/sysconfig/windowmanager r, / r, /var/lib/lastlog/ r, /var/lib/lastlog/* rwk, + /var/lib/wtmpdb/ r, + /var/lib/wtmpdb/* rwk, + /var/lib/sddm/state.conf rw, owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw, owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 57030ccd..8f4b9c37 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -72,6 +72,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, /etc/default/locale r, /etc/gss/mech.d/{,*} r, /etc/issue.net r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index eac94603..8d94192e 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -53,8 +53,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/systemd/logind.conf r, - /etc/systemd/sleep.conf r, /etc/systemd/logind.conf.d/{,**} r, + /etc/systemd/sleep.conf r, + /etc/systemd/sleep.conf.d/{,**} r, / r, /boot/{,**} r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 66648cbc..bf83779a 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -12,6 +12,7 @@ profile agetty @{exec_path} { include include + capability checkpoint_restore, capability fsetid, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index bb26b07c..58d5a5b6 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -57,7 +57,7 @@ profile flatpak-system-helper @{exec_path} { @{bin}/gpgconf mr, @{bin}/gpgsm mr, - @{lib}/gnupg/scdaemon rix, + @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, owner /tmp/ostree-gpg-*/ r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index d7776e0c..9c56a998 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -83,10 +83,13 @@ profile htop @{exec_path} { @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/wchan r, + @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, + @{sys}/bus/soc/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -98,16 +101,37 @@ profile htop @{exec_path} { @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/platform/*/i2c-@{int}/name r, - @{sys}/devices/system/cpu/cpu@{int}/online r, + @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/hugepages/ r, + @{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/nr_hugepages r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/online r, @{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r, + @{sys}/devices/virtual/dmi/id/ r, + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/chassis_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/cpuset.cpus.effective r, + @{sys}/fs/cgroup/cpuset.mems.effective r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{PROC}/cmdline r, + owner @{PROC}/@{pid}/cpuset r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index f73e0fa2..67ceca17 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -68,6 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, + @{bin}/rpmdb2solv rPx, # only: opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, # only: dpkg @@ -125,6 +126,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/gpg-agent rix, @{bin}/scdaemon rix, + @{lib}/{,gnupg/}scdaemon rix, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 40d384c8..99d20eb1 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -18,6 +18,7 @@ profile passwd @{exec_path} { capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, signal (receive) set=(term, kill) peer=gnome-control-center, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 50185bb9..5e4748a9 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -86,10 +86,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, - /etc/udisks2/{,**} r, - /etc/libblockdev/{,**} r, - /etc/fstab r, /etc/crypttab r, + /etc/fstab r, + /etc/libblockdev/{,**} r, + /etc/nvme/* r, + /etc/udisks2/{,**} r, /var/lib/udisks2/{,**} r, /var/lib/udisks2/mounted-fs{,*} rw,