mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-08-13 20:31:57 +01:00
parent e02b12aa6d
commit c148aa978c
Failed to generate hash of commit
30 changed files with 202 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/apt/unattended-upgrade
View file

@ -85,12 +85,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r, /etc/machine-id r,
/var/log/unattended-upgrades/*.log rw, /var/log/unattended-upgrades/{,**} rw,
/var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/lock rwk, /var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/updates/ r, /var/lib/dpkg/updates/ r,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/cache/apt/{,**} rwk, /var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw, /var/lib/apt/extended_states{,.*} rw,

1
apparmor.d/groups/browsers/firefox
View file

@ -154,6 +154,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/devices/system/cpu/possible r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/present r, deny @{sys}/devices/system/cpu/present r,

2
apparmor.d/groups/freedesktop/fc-cache
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/fc-cache{,-32} @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
profile fc-cache @{exec_path} { profile fc-cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>

1
apparmor.d/groups/freedesktop/plymouthd
View file

@ -39,6 +39,7 @@ profile plymouthd @{exec_path} {
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/graphics/ r, @{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/graphics/fbcon/uevent r,
@{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r, @{sys}/firmware/acpi/bgrt/{,*} r,

2
apparmor.d/groups/freedesktop/upowerd
View file

@ -17,7 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.{DBus.Properties,UPower*}, interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

1
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy @{exec_path} = /{usr/,}bin/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict>
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/snap rPx,
# Allowed apps to open # Allowed apps to open
/{usr/,}bin/firefox rPx -> firefox, /{usr/,}bin/firefox rPx -> firefox,

6
apparmor.d/groups/freedesktop/xdg-email
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,8 +12,13 @@ profile xdg-email @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,

1
apparmor.d/groups/freedesktop/xwayland
View file

@ -35,6 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/devices/system/cpu/possible r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/comm r, owner @{PROC}/@{pids}/comm r,

2
apparmor.d/groups/gnome/gjs-console
View file

@ -49,6 +49,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,

9
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -10,14 +10,23 @@ include <tunables/global>
profile gnome-characters-backgroudservice @{exec_path} { profile gnome-characters-backgroudservice @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dbus-session-strict>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/gjs-console rix, /{usr/,}bin/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
/etc/gtk-3.0/settings.ini r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
include if exists <local/gnome-characters-backgroudservice> include if exists <local/gnome-characters-backgroudservice>
} }

6
apparmor.d/groups/gnome/gnome-control-center
View file

@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/bwrap rPUx, /{usr/,}bin/bwrap rPUx,
/{usr/,}bin/openvpn rPx, /{usr/,}bin/openvpn rPx,
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix, /usr/share/language-tools/language2locale rix,
@ -70,6 +71,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r, /usr/share/zoneinfo/{,**} r,
/etc/machine-info r,
/etc/pipewire/client.conf.d/ r, /etc/pipewire/client.conf.d/ r,
/etc/security/pwquality.conf r, /etc/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r, /etc/security/pwquality.conf.d/{,**} r,
@ -98,6 +100,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
@{run}/cups/cups.sock rw, @{run}/cups/cups.sock rw,
@{run}/samba/ rw, @{run}/samba/ rw,
@ -120,9 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{sys}/class/input/ r, @{sys}/class/input/ r,
@{sys}/devices/**/{name,vendor,product,uevent} r, @{sys}/devices/**/{name,vendor,product,uevent} r,
@{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/**/uevent r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/**/uevent r,
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
@{sys}/firmware/acpi/pm_profile r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,

2
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -39,6 +39,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -195,7 +195,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
@ -245,6 +245,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,

1
apparmor.d/groups/network/tailscaled
View file

@ -42,6 +42,7 @@ profile tailscaled @{exec_path} {
owner /var/lib/tailscale/{,**} rw, owner /var/lib/tailscale/{,**} rw,
owner @{run}/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw,
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/ r, @{PROC}/ r,

9
apparmor.d/groups/pacman/pacman-key
View file

@ -37,10 +37,6 @@ profile pacman-key @{exec_path} {
/dev/tty rw, /dev/tty rw,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
include <abstractions/p11-kit> include <abstractions/p11-kit>
@ -61,10 +57,9 @@ profile pacman-key @{exec_path} {
@{HOME}/.gnupg/gpg.conf r, @{HOME}/.gnupg/gpg.conf r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
} }
include if exists <local/pacman-key> include if exists <local/pacman-key>

6
apparmor.d/groups/systemd/systemd-detect-virt
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,6 +15,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{run}/host/container-manager r, @{run}/host/container-manager r,

1
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -47,6 +47,7 @@ profile check-new-release-gtk @{exec_path} {
owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
include if exists <local/check-new-release-gtk> include if exists <local/check-new-release-gtk>

50
apparmor.d/groups/ubuntu/packagekitd
View file

@ -13,13 +13,26 @@ profile packagekitd @{exec_path} {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_nice, capability sys_nice,
network netlink raw, network netlink raw,
signal send set=int peer=apt-methods-*,
dbus (send,receive) bus=system path=/org/freedesktop/PackageKit dbus (send,receive) bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.{DBus.*,PackageKit}, interface=org.freedesktop.{DBus.*,PackageKit},
dbus send bus=system path=/[0-9]*_@{hex}
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member=GetAll,
@ -28,9 +41,17 @@ profile packagekitd @{exec_path} {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=RequestName, member={RequestName,GetConnectionUnixUser},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus receive bus=system path=/[0-9]*_@{hex}
interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction},
# peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit[0-9].Authority
@ -53,17 +74,42 @@ profile packagekitd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
/{usr/,}lib/apt/methods/* rPx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/etc/PackageKit/PackageKit.conf r, /etc/PackageKit/PackageKit.conf r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/cache/PackageKit/downloads/ r, /var/cache/PackageKit/downloads/ r,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/info/{,*} r,
/var/lib/PackageKit/{,*} rw,
/var/lib/PackageKit/transactions.db rwk, /var/lib/PackageKit/transactions.db rwk,
owner @{run}/systemd/users/@{uid} r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/mountinfo r,
include if exists <local/packagekitd> include if exists <local/packagekitd>
} }

2
apparmor.d/groups/ubuntu/update-motd-updates-available
View file

@ -40,6 +40,8 @@ profile update-motd-updates-available @{exec_path} {
/var/lib/update-notifier/{,*} rw, /var/lib/update-notifier/{,*} rw,
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,

1
apparmor.d/groups/virt/libvirtd
View file

@ -187,6 +187,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r,
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/system/cpu/present r, @{sys}/devices/system/cpu/present r,
@{sys}/devices/system/cpu/present/ r, @{sys}/devices/system/cpu/present/ r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,

1
apparmor.d/groups/virt/virtlogd
View file

@ -32,6 +32,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/virtlogd.pid rwk, @{run}/virtlogd.pid rwk,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,

49
apparmor.d/profiles-a-f/acpi-powerbtn Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
profile acpi-powerbtn flags=(attach_disconnected) {
include <abstractions/base>
/etc/acpi/powerbtn-acpi-support.sh r,
/{usr/,}{s,}bin/killall5 rix,
/{usr/,}{s,}bin/shutdown rix,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/pgrep rix,
/{usr/,}bin/pinky rix,
/{usr/,}bin/sed rix,
/etc/acpi/powerbtn.sh rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/ps rPx,
/{usr/,}bin/fgconsole rCx,
/usr/share/acpi-support/** r,
@{PROC} r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
deny / r,
profile fgconsole {
include <abstractions/base>
capability sys_tty_config,
/{usr/,}bin/fgconsole r,
/dev/tty rw,
owner /dev/tty[0-9]* rw,
}
include if exists <local/acpi-powerbtn>
}

44
apparmor.d/profiles-a-f/acpid
View file

@ -21,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/logger rix, /{usr/,}bin/logger rix,
/etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,
/etc/acpi/{,**} r, /etc/acpi/{,**} r,
/etc/acpi/handler.sh rix, /etc/acpi/handler.sh rix,
@ -37,45 +37,3 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
include if exists <local/acpid> include if exists <local/acpid>
} }
profile powerbtn-acpi-support flags=(attach_disconnected) {
include <abstractions/base>
/etc/acpi/powerbtn-acpi-support.sh r,
/{usr/,}{s,}bin/killall5 rix,
/{usr/,}{s,}bin/shutdown rix,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{e,}grep rix,
/{usr/,}bin/dbus-send rix,
/{usr/,}bin/pgrep rix,
/{usr/,}bin/pinky rix,
/{usr/,}bin/sed rix,
/etc/acpi/powerbtn.sh rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/ps rPx,
/{usr/,}bin/fgconsole rCx,
/usr/share/acpi-support/** r,
@{PROC} r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
deny / r,
profile fgconsole {
include <abstractions/base>
capability sys_tty_config,
/{usr/,}bin/fgconsole r,
/dev/tty rw,
owner /dev/tty[0-9]* rw,
}
include if exists <local/powerbtn-acpi-support>
}

5
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -28,11 +28,12 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
owner /tmp/cri-containerd.apparmor.d[0-9]* r, owner /tmp/cri-containerd.apparmor.d[0-9]* r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, @{sys}/devices/system/cpu/possible r,
@{sys}/kernel/security/apparmor/{,**} r, @{sys}/kernel/security/apparmor/{,**} r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/mounts r,
deny /apparmor/.null rw, deny /apparmor/.null rw,

39
apparmor.d/profiles-a-f/fwupd
View file

@ -7,9 +7,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd @{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) { profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
@ -25,6 +26,41 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
network netlink raw, network netlink raw,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,RemoveMatch,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.{Properties,ObjectManager}
member={GetAll,GetManagedObjects},
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
member={GetAll,GetBlockDevices},
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/
interface=org.freedesktop.fwupd,
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=system
name=org.freedesktop.fwupd,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg,
@ -85,6 +121,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/dev/bus/usb/ r, /dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw, /dev/bus/usb/[0-9]*/[0-9]* rw,
/dev/cpu/[0-9]*/msr rw,
/dev/drm_dp_aux[0-9]* rw, /dev/drm_dp_aux[0-9]* rw,
/dev/gpiochip[0-9]* r, /dev/gpiochip[0-9]* r,
/dev/hidraw[0-9]* rw, /dev/hidraw[0-9]* rw,

3
apparmor.d/profiles-g-l/hugo
View file

@ -11,8 +11,11 @@ include <tunables/global>
profile hugo @{exec_path} { profile hugo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,

11
apparmor.d/profiles-s-z/snapd
View file

@ -72,14 +72,17 @@ profile snapd @{exec_path} {
/snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx,
/snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx,
/snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix,
/snap/snapd/[0-9]*/usr/bin/fc-cache-* rPx -> fc-cache,
/snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ?
/usr/share/bash-completion/completions/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
/usr/share/dbus-1/services/*snap* r, /usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r, /usr/share/polkit-1/actions/{,**/} r,
/etc/dbus-1/system.d/{,**/} r, /etc/dbus-1/system.d/{,**/} r,
/etc/fstab r, /etc/fstab r,
/etc/mime.types r,
/etc/modprobe.d/{,**/} r, /etc/modprobe.d/{,**/} r,
/etc/modules-load.d/{,**/} r, /etc/modules-load.d/{,**/} r,
/etc/systemd/system/{,**/} r, /etc/systemd/system/{,**/} r,
@ -101,8 +104,8 @@ profile snapd @{exec_path} {
/tmp/syscheck-squashfs-[0-9]* rw, /tmp/syscheck-squashfs-[0-9]* rw,
/tmp/read-file[0-9]*/{,**} rw, /tmp/read-file[0-9]*/{,**} rw,
owner @{HOME}/ r, @{HOME}/ r,
owner @{HOME}/snap/{,**} rw, @{HOME}/snap/{,**} rw,
owner @{run}/mount/ rw, owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab{,.*} rw,
@ -113,14 +116,14 @@ profile snapd @{exec_path} {
@{run}/snapd-snap.socket rw, @{run}/snapd-snap.socket rw,
@{run}/snapd.socket rw, @{run}/snapd.socket rw,
@{run}/snapd/lock/core[0-9]*.lock rwk, @{run}/snapd/lock/*.lock rwk,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{run}/systemd/private rw, @{run}/systemd/private rw,
@{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/{,*/} r,
@{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/system.slice/{,**/} r,
@{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/features/ r,
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,

4
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -13,9 +13,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
capability sys_nice, capability sys_nice,
dbus receive dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]*
bus=system
path=/org/freedesktop/login[0-9]/session/_[0-9]*
interface=org.freedesktop.login[0-9].Session interface=org.freedesktop.login[0-9].Session
member=Unlock, member=Unlock,

1
apparmor.d/profiles-s-z/wireplumber
View file

@ -45,6 +45,7 @@ profile wireplumber @{exec_path} {
@{sys}/devices/**/sound/**/uevent r, @{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/modalias r,
@{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r,
/dev/snd/ r, /dev/snd/ r,