From bfa22933796ec4710576c695a6bea4862eb5dc19 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 May 2021 19:06:48 +0100 Subject: [PATCH] Profile update. --- apparmor.d/groups/bus/dbus-daemon | 2 +- apparmor.d/groups/desktop/at-spi-bus-launcher | 2 +- apparmor.d/groups/desktop/at-spi2-registryd | 2 +- apparmor.d/groups/desktop/blueman | 2 +- apparmor.d/groups/desktop/colord | 4 +--- apparmor.d/groups/gnome/gdm | 5 +++-- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gdm-x-session | 3 +++ apparmor.d/groups/gnome/gdm-xsession | 10 +++++++--- apparmor.d/groups/gnome/gjs-console | 3 ++- apparmor.d/groups/gnome/gnome-session-binary | 13 +++++++++++-- apparmor.d/groups/gnome/gnome-shell | 2 +- .../groups/gnome/gnome-shell-hotplug-sniffer | 16 ++++++++++++++++ apparmor.d/groups/gnome/gsd-color | 2 ++ apparmor.d/groups/gnome/gsd-keyboard | 2 ++ apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/gsd-power | 3 ++- apparmor.d/groups/gnome/gsd-wacom | 2 ++ apparmor.d/groups/gnome/gsd-xsettings | 3 ++- apparmor.d/profiles-a-l/logrotate | 3 +++ apparmor.d/profiles-m-z/xhost | 1 + 21 files changed, 64 insertions(+), 19 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 197c336e..447cefce 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -53,7 +53,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index 670174a3..7054246b 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -32,7 +32,7 @@ profile at-spi-bus-launcher @{exec_path} { owner @{HOME}/.Xauthority r, /var/lib/lightdm/.Xauthority r, - @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gdm/Xauthority r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd index e820386f..697a9ae5 100644 --- a/apparmor.d/groups/desktop/at-spi2-registryd +++ b/apparmor.d/groups/desktop/at-spi2-registryd @@ -22,7 +22,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, /var/lib/lightdm/.Xauthority r, - @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/desktop/blueman b/apparmor.d/groups/desktop/blueman index 2c4ed938..ce34a418 100644 --- a/apparmor.d/groups/desktop/blueman +++ b/apparmor.d/groups/desktop/blueman @@ -76,7 +76,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/groups/desktop/colord b/apparmor.d/groups/desktop/colord index aee44656..f63c5232 100644 --- a/apparmor.d/groups/desktop/colord +++ b/apparmor.d/groups/desktop/colord @@ -30,8 +30,6 @@ profile colord @{exec_path} flags=(attach_disconnected) { /usr/share/color/icc/{,**} r, - owner @{run}/systemd/sessions/[0-9] r, - @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP}-*/{enabled,edid} r, @@ -45,7 +43,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/icc/edid-*.icc r, - @{run}/systemd/sessions/[0-9] r, + @{run}/systemd/sessions/[0-9]* r, include if exists } diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 113f25e2..adf65127 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -28,6 +28,7 @@ profile gdm @{exec_path} { /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, + /usr/share/xsessions/*.desktop r, /etc/gdm/custom.conf r, /etc/locale.conf r, @@ -38,8 +39,8 @@ profile gdm @{exec_path} { @{run}/gdm/gdm.pid rw, @{run}/gdm/greeter/ rw, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/[0-9] r, - @{run}/systemd/sessions/[0-9].ref r, + @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/[0-9]*.ref r, @{run}/systemd/userdb/ r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 5bef1cc5..e377402e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -54,7 +54,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index a63edb9d..be8662f8 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -20,6 +20,9 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, + @{run}/user/@{uid}/gdm/ w, + @{run}/user/@{uid}/gdm/Xauthority rw, + owner @{PROC}/@{pid}/fd/ r, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 3b973951..dcf20164 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -13,7 +13,7 @@ profile gdm-xsession @{exec_path} { include include - @{exec_path} r, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/zsh rix, @@ -21,22 +21,26 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/gnome-session rix, /{usr/,}bin/gsettings rix, /{usr/,}bin/id rix, + /{usr/,}bin/tty rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/xhost rPx, /{usr/,}lib/gnome-session-binary rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + profile dbus { include /{usr/,}bin/dbus-update-activation-environment mr, - # file_inherit owner @{HOME}/.xsession-errors w, - } include if exists diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 2f89c577..26d526e6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -52,7 +52,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/user/@{uid}/wayland-cursor-shared-* rw, /dev/ r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 3145afb5..8f15c2f3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}lib/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include + include include include @@ -40,12 +42,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/applications/org.gnome.Shell.desktop r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, owner @{user_config_dirs}/gnome-session/saved-session/ r, owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + # Users xdg owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, @@ -66,18 +71,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /tmp/.ICE-unix/[0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9] r, - @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{sys}/devices/**/{vendor,device} r, owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/sys/dev/i915/perf_stream_paranoid r, /dev/null r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 03c9fee7..a2d9b17c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -92,7 +92,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/[0-9] r, + @{run}/systemd/sessions/[0-9]* r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer new file mode 100644 index 00000000..6aadba7b --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-shell-hotplug-sniffer +profile gnome-shell-hotplug-sniffer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 98d48db4..03ea22f5 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -25,6 +25,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.local/share/icc/ r, /var/lib/gdm/.local/share/icc/edid-*.icc r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 4fef0886..ab21da78 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 2c01197c..7b425ee1 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -34,6 +34,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/pulse/ r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a52e8a2e..9335cb8f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -60,7 +60,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/user/@{uid}/pulse/ r, + owner @{run}/user/@{uid}/pulse/ r, + owner @{run}/user/@{uid}/gdm/Xauthority r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 8ea114e8..57be2b4c 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -27,6 +27,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/X11/xkb/** r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 6ea71ad1..592f287a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -39,7 +39,8 @@ profile gsd-xsettings @{exec_path} { /var/lib/gdm/.config/dconf/user r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-l/logrotate b/apparmor.d/profiles-a-l/logrotate index faa0adf1..6082990c 100644 --- a/apparmor.d/profiles-a-l/logrotate +++ b/apparmor.d/profiles-a-l/logrotate @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -54,6 +55,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate/status rwk, /var/lib/logrotate/status.tmp rw, + /var/lib/logrotate.status rwk, + /var/lib/logrotate.status.tmp rw, /var/log/** rw, diff --git a/apparmor.d/profiles-m-z/xhost b/apparmor.d/profiles-m-z/xhost index 8dae5e6e..53117ba4 100644 --- a/apparmor.d/profiles-m-z/xhost +++ b/apparmor.d/profiles-m-z/xhost @@ -15,6 +15,7 @@ profile xhost @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit owner /dev/tty[0-9]* rw,