From c54d72543ea0cb79ea92d003d333e8d26260f6f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 8 Dec 2023 18:03:47 +0000 Subject: [PATCH] feat(profile): update flatpak. --- apparmor.d/profiles-a-f/flatpak | 49 +++++++++++++++---- apparmor.d/profiles-a-f/flatpak-app | 11 +++-- apparmor.d/profiles-a-f/flatpak-bwrap | 8 ++- .../profiles-a-f/flatpak-oci-authenticator | 17 +++++++ .../profiles-a-f/flatpak-session-helper | 12 +++-- 5 files changed, 78 insertions(+), 19 deletions(-) create mode 100644 apparmor.d/profiles-a-f/flatpak-oci-authenticator diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 46770705..70890775 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -27,12 +27,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain network inet6 stream, network netlink raw, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, + @{exec_path} mr, - @{bin}/bwrap rPx -> flatpak-bwrap, - @{bin}/gpg rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + @{bin}/bwrap rPx -> flatpak-bwrap, + @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gpg rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + @{lib}/revokefs-fuse rix, /usr/share/gvfs/remote-volume-monitors/*.monitor r, /usr/share/flatpak/{,**} r, @@ -40,11 +44,14 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - /var/lib/flatpak/{,**} rwlk, - /var/tmp/#@{int} rw, - / r, + /var/lib/flatpak/{,**} rwlk, + + /var/tmp/#@{int} rw, + /var/tmp/flatpak-cache-@{rand6}/{,**/} r, + owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, + owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, @@ -69,15 +76,18 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{sys}/module/nvidia/version r, + @{PROC}/sys/fs/pipe-max-size r, owner @{PROC}/@{pid}/stat r, - deny @{user_share_dirs}/gvfs-metadata/* r, - + /dev/fuse rw, /dev/tty rw, /dev/tty@{int} rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + profile gpg { include + include capability dac_read_search, @@ -93,5 +103,26 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include if exists } + profile fusermount { + include + include + include + + capability sys_admin, + + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, + umount /var/tmp/flatpak-cache-*/*/, + + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 8bc18f82..a6d575ca 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -13,19 +13,24 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include include + capability sys_ptrace, + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + ptrace (read), ptrace peer=flatpak-app//&flatpak-bwrap, signal peer=flatpak-app//&flatpak-bwrap, - @{bin}/** rmix, - @{lib}/** rmix, - /app/** rmix, + @{bin}/** rmix, + @{lib}/** rmix, + /app/** rmix, + /var/lib/flatpak/app/*/**/@{bin}/** rmix, + /var/lib/flatpak/app/*/**/@{lib}/** rmix, /var/lib/flatpak/app/{,**} r, diff --git a/apparmor.d/profiles-a-f/flatpak-bwrap b/apparmor.d/profiles-a-f/flatpak-bwrap index f142f2f5..0a9290d5 100644 --- a/apparmor.d/profiles-a-f/flatpak-bwrap +++ b/apparmor.d/profiles-a-f/flatpak-bwrap @@ -25,8 +25,12 @@ profile flatpak-bwrap flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink raw, - mount, - umount, + mount options=(rw, silent, rslave) -> /, + mount fstype=tmpfs -> /tmp/, + mount -> /newroot/{,**}, + mount -> /oldroot/, + mount -> /tmp/newroot/, + umount /{,oldroot/}, pivot_root oldroot=/newroot/ -> /newroot/, pivot_root oldroot=/tmp/oldroot/ -> /tmp/, diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator new file mode 100644 index 00000000..e5b8a1d1 --- /dev/null +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/flatpak-oci-authenticator +profile flatpak-oci-authenticator @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 4bf7ca70..22c021f6 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -17,11 +17,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dbus-monitor rPUx, - @{bin}/p11-kit rix, - @{bin}/pkexec rPx, - @{lib}/p11-kit/p11-kit-remote rix, - @{lib}/p11-kit/p11-kit-server rix, + @{bin}/dbus-monitor rPUx, + @{bin}/p11-kit rix, + @{bin}/pkexec rPx, + @{lib}/p11-kit/p11-kit-remote rix, + @{lib}/p11-kit/p11-kit-server rix, + /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, + /var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app, owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw,