From c148aa978cbbb27dfde65380e914db162bc18500 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Aug 2022 20:31:57 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/unattended-upgrade | 3 +- apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/freedesktop/fc-cache | 2 +- apparmor.d/groups/freedesktop/plymouthd | 1 + apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 1 + .../groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/freedesktop/xdg-email | 10 +++- apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/groups/gnome/gjs-console | 2 + .../gnome/gnome-characters-backgroudservice | 9 ++++ apparmor.d/groups/gnome/gnome-control-center | 6 +++ .../gnome/gnome-control-center-print-renderer | 2 + apparmor.d/groups/gnome/gnome-shell | 3 +- apparmor.d/groups/network/tailscaled | 1 + apparmor.d/groups/pacman/pacman-key | 9 +--- apparmor.d/groups/systemd/systemd-detect-virt | 6 ++- .../groups/ubuntu/check-new-release-gtk | 1 + apparmor.d/groups/ubuntu/packagekitd | 52 +++++++++++++++++-- .../ubuntu/update-motd-updates-available | 2 + apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/groups/virt/virtlogd | 1 + apparmor.d/profiles-a-f/acpi-powerbtn | 49 +++++++++++++++++ apparmor.d/profiles-a-f/acpid | 44 +--------------- apparmor.d/profiles-a-f/apparmor_parser | 5 +- apparmor.d/profiles-a-f/fwupd | 39 +++++++++++++- apparmor.d/profiles-g-l/hugo | 3 ++ apparmor.d/profiles-s-z/snapd | 11 ++-- apparmor.d/profiles-s-z/spice-vdagentd | 4 +- apparmor.d/profiles-s-z/wireplumber | 1 + 30 files changed, 202 insertions(+), 71 deletions(-) create mode 100644 apparmor.d/profiles-a-f/acpi-powerbtn diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 2a5a060b..73f58183 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -85,12 +85,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - /var/log/unattended-upgrades/*.log rw, + /var/log/unattended-upgrades/{,**} rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, + /var/lib/update-notifier/dpkg-run-stamp rw, /var/cache/apt/{,**} rwk, /var/lib/apt/extended_states{,.*} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index eee27864..766539bf 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -154,6 +154,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + @{sys}/devices/system/cpu/possible r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/present r, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 39462818..b467e8f2 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fc-cache{,-32} +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*} profile fc-cache @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 2cab9318..b1e1d39d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -39,6 +39,7 @@ profile plymouthd @{exec_path} { @{sys}/class/drm/ r, @{sys}/class/graphics/ r, @{sys}/devices/pci[0-9]*/**/{,uevent} r, + @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 22c62c33..72a183ee 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -17,7 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.{DBus.Properties,UPower*}, + interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 72bd2b5f..4585ecf3 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 1570e6b3..32225705 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/snap rPx, # Allowed apps to open /{usr/,}bin/firefox rPx -> firefox, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index ee313a64..8fc5ecc7 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,8 +12,13 @@ profile xdg-email @{exec_path} flags=(complain) { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/sed rix, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gio rPx, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/xdg-mime rPx, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index eae9f065..701a0de2 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -35,6 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{sys}/bus/pci/devices/ r, + @{sys}/devices/system/cpu/possible r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index a77327c0..fe4e1f9d 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -49,6 +49,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, + @{sys}/devices/system/cpu/possible r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index ed4bc812..8735c2fe 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -10,14 +10,23 @@ include profile gnome-characters-backgroudservice @{exec_path} { include include + include @{exec_path} mr, /{usr/,}bin/gjs-console rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + /etc/gtk-3.0/settings.ini r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c6c3ef91..58aa25a7 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/bwrap rPUx, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, + /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, @@ -70,6 +71,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, + /etc/machine-info r, /etc/pipewire/client.conf.d/ r, /etc/security/pwquality.conf r, /etc/security/pwquality.conf.d/{,**} r, @@ -98,6 +100,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, + owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, + owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @@ -120,9 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/class/input/ r, @{sys}/devices/**/{name,vendor,product,uevent} r, @{sys}/devices/platform/**/uevent r, + @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, + @{sys}/firmware/acpi/pm_profile r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 43324261..9fef80dd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -39,6 +39,8 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, + @{sys}/devices/system/cpu/possible r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 978e949d..3a8d278b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -195,7 +195,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, - owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, @@ -245,6 +245,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 36bf1d12..6025ed12 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -42,6 +42,7 @@ profile tailscaled @{exec_path} { owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, + @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/ r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 69d17130..3f427b9a 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -37,10 +37,6 @@ profile pacman-key @{exec_path} { /dev/tty rw, - # Inherit Silencer - deny network inet6 stream, - deny network inet stream, - profile gpg { include include @@ -61,10 +57,9 @@ profile pacman-key @{exec_path} { @{HOME}/.gnupg/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat rw, - # Inherit Silencer - deny network inet6 stream, - deny network inet stream, } include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index f922b2cc..d9178ed3 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,6 +15,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { capability net_admin, + network netlink raw, + @{exec_path} mr, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index de44a851..755dcce4 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -47,6 +47,7 @@ profile check-new-release-gtk @{exec_path} { owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, include if exists diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index 37de8341..ef3d6a6e 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -13,13 +13,26 @@ profile packagekitd @{exec_path} { include include + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability kill, + capability setgid, + capability setuid, capability sys_nice, network netlink raw, + signal send set=int peer=apt-methods-*, + dbus (send,receive) bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.{DBus.*,PackageKit}, + dbus send bus=system path=/[0-9]*_@{hex} + interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction} + peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll, @@ -28,9 +41,17 @@ profile packagekitd @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/org/freedesktop/DBus{,/Bus} interface=org.freedesktop.DBus - member=RequestName, + member={RequestName,GetConnectionUnixUser}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus receive bus=system path=/[0-9]*_@{hex} + interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}, + # peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority @@ -53,17 +74,42 @@ profile packagekitd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, + /{usr/,}lib/apt/methods/* rPx, + /{usr/,}lib/cnf-update-db rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/dpkg/tupletable r, /usr/share/dpkg/cputable r, /etc/PackageKit/PackageKit.conf r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, /var/cache/PackageKit/downloads/ r, + + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/periodic/update-success-stamp rw, + /var/lib/dpkg/info/{,*} r, + /var/lib/PackageKit/{,*} rw, /var/lib/PackageKit/transactions.db rwk, + owner @{run}/systemd/users/@{uid} r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 47e1ccf4..83cc1273 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -40,6 +40,8 @@ profile update-motd-updates-available @{exec_path} { /var/lib/update-notifier/{,*} rw, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + /var/cache/apt/ r, /var/cache/apt/** rwk, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 1814b83f..8134925c 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -187,6 +187,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/possible r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/cpu/present/ r, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 900cfbd3..27afbd88 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -32,6 +32,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, + @{sys}/devices/system/cpu/possible r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn new file mode 100644 index 00000000..24804df8 --- /dev/null +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile acpi-powerbtn flags=(attach_disconnected) { + include + + /etc/acpi/powerbtn-acpi-support.sh r, + + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}{s,}bin/shutdown rix, + /{usr/,}bin/{ba,da,}sh rix, + /{usr/,}bin/{e,}grep rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/pgrep rix, + /{usr/,}bin/pinky rix, + /{usr/,}bin/sed rix, + /etc/acpi/powerbtn.sh rix, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/ps rPx, + + /{usr/,}bin/fgconsole rCx, + + /usr/share/acpi-support/** r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/@{pids}/cmdline r, + + deny / r, + + profile fgconsole { + include + + capability sys_tty_config, + + /{usr/,}bin/fgconsole r, + + /dev/tty rw, + owner /dev/tty[0-9]* rw, + } + + include if exists +} diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index f5d18f85..8074ef09 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -21,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/logger rix, - /etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support, + /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn, /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, @@ -37,45 +37,3 @@ profile acpid @{exec_path} flags=(attach_disconnected) { include if exists } - -profile powerbtn-acpi-support flags=(attach_disconnected) { - include - - /etc/acpi/powerbtn-acpi-support.sh r, - - /{usr/,}{s,}bin/killall5 rix, - /{usr/,}{s,}bin/shutdown rix, - /{usr/,}bin/{ba,da,}sh rix, - /{usr/,}bin/{e,}grep rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/pgrep rix, - /{usr/,}bin/pinky rix, - /{usr/,}bin/sed rix, - /etc/acpi/powerbtn.sh rix, - - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/ps rPx, - - /{usr/,}bin/fgconsole rCx, - - /usr/share/acpi-support/** r, - - @{PROC} r, - @{PROC}/uptime r, - @{PROC}/@{pids}/cmdline r, - - deny / r, - - profile fgconsole { - include - - capability sys_tty_config, - - /{usr/,}bin/fgconsole r, - - /dev/tty rw, - owner /dev/tty[0-9]* rw, - } - - include if exists -} diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index a8886583..59245636 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -28,11 +28,12 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /tmp/cri-containerd.apparmor.d[0-9]* r, - owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, + @{sys}/devices/system/cpu/possible r, @{sys}/kernel/security/apparmor/{,**} r, + owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, - owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/mounts r, deny /apparmor/.null rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 8f217fbe..e7d3b197 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -7,9 +7,10 @@ abi , include -@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd +@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include + include include include include @@ -25,6 +26,41 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,RemoveMatch,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.{Properties,ObjectManager} + member={GetAll,GetManagedObjects}, + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.{DBus.Properties,UDisks2.Manager} + member={GetAll,GetBlockDevices}, + + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/ + interface=org.freedesktop.fwupd, + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.fwupd, + @{exec_path} mr, /{usr/,}bin/gpg rCx -> gpg, @@ -85,6 +121,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, + /dev/cpu/[0-9]*/msr rw, /dev/drm_dp_aux[0-9]* rw, /dev/gpiochip[0-9]* r, /dev/hidraw[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index d771789d..611d164e 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -11,8 +11,11 @@ include profile hugo @{exec_path} { include include + include include + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index b7a491c9..ef2ce90e 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -72,14 +72,17 @@ profile snapd @{exec_path} { /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, + /snap/snapd/[0-9]*/usr/bin/fc-cache-* rPx -> fc-cache, /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? + /usr/share/bash-completion/completions/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, /etc/dbus-1/system.d/{,**/} r, /etc/fstab r, + /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/systemd/system/{,**/} r, @@ -101,8 +104,8 @@ profile snapd @{exec_path} { /tmp/syscheck-squashfs-[0-9]* rw, /tmp/read-file[0-9]*/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/snap/{,**} rw, + @{HOME}/ r, + @{HOME}/snap/{,**} rw, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, @@ -113,14 +116,14 @@ profile snapd @{exec_path} { @{run}/snapd-snap.socket rw, @{run}/snapd.socket rw, - @{run}/snapd/lock/core[0-9]*.lock rwk, + @{run}/snapd/lock/*.lock rwk, @{run}/systemd/notify rw, @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 899c68c7..6a934c16 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,9 +13,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, - dbus receive - bus=system - path=/org/freedesktop/login[0-9]/session/_[0-9]* + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* interface=org.freedesktop.login[0-9].Session member=Unlock, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 59b0cab4..dd2ef0dd 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -45,6 +45,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, + @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r, /dev/snd/ r,