diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index bcd49a3f..4bf80999 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -11,6 +11,10 @@ abi , + owner @{HOME}/thumbnails/ r, + owner @{HOME}/thumbnails/{large,normal}/ r, + owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r, + owner @{HOME}/.cache/thumbnails/ r, owner @{HOME}/.cache/thumbnails/{large,normal}/ r, owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index f7668c02..b7917916 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -11,6 +11,11 @@ abi , + owner @{HOME}/thumbnails/ rw, + owner @{HOME}/thumbnails/{large,normal}/ rw, + owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw, + owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9], + owner @{HOME}/.cache/thumbnails/ rw, owner @{HOME}/.cache/thumbnails/{large,normal}/ rw, owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw, diff --git a/apparmor.d/adequate b/apparmor.d/adequate index 4e79aac4..8657afff 100644 --- a/apparmor.d/adequate +++ b/apparmor.d/adequate @@ -99,7 +99,7 @@ profile adequate @{exec_path} flags=(complain) { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote index 50647f80..4b6f31a6 100644 --- a/apparmor.d/anyremote +++ b/apparmor.d/anyremote @@ -80,13 +80,6 @@ profile anyremote @{exec_path} { /usr/share/anyremote/{,**} r, /usr/share/anyremote/cfg-data/Utils/*.sh rix, - # Video dirs - / r, - /media/ r, - /media/Zami/ r, - owner /media/Zami/Film/ r, - owner /media/Zami/Film/** r, - deny @{PROC}/sys/kernel/osrelease r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/appimage-beyond-all-reason b/apparmor.d/appimage-beyond-all-reason new file mode 100644 index 00000000..993ba816 --- /dev/null +++ b/apparmor.d/appimage-beyond-all-reason @@ -0,0 +1,116 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = "/home/*/Desktop/Beyond All Reason.AppImage" +@{exec_path} += /home/*/Desktop/BeyondAllReason.AppImage +profile appimage-beyond-all-reason @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + + capability sys_ptrace, + + # For kernel unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + capability setuid, + capability setgid, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + network netlink raw, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/xmessage rix, + + /{usr/,}bin/x86_64-linux-gnu-addr2line rix, + + /{usr/,}bin/fusermount{,3} rPx, + + mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/, + + /var/tmp/ r, + /tmp/ r, + /tmp/.mount_Beyond*/ rw, + /tmp/.mount_Beyond*/beyond-all-reason rix, + /tmp/.mount_Beyond*/AppRun rix, + /tmp/.mount_Beyond*/bin/* rix, + /tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix, + /tmp/.mount_Beyond*/** r, + /tmp/.mount_Beyond*/**.so{,.[0-9]*} mr, + owner /tmp/.org.chromium.Chromium.*/ rw, + owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw, + owner /tmp/.org.chromium.Chromium.*/SS rw, + owner /tmp/.org.chromium.Chromium.*/*.png rw, + owner /tmp/.org.chromium.Chromium.* rw, + + owner @{HOME}/.config/Beyond-All-Reason/ rw, + owner @{HOME}/.config/Beyond-All-Reason/** rwk, + + owner "@{HOME}/Beyond All Reason/" rw, + owner "@{HOME}/Beyond All Reason/**" rwkm, + owner "@{HOME}/Beyond All Reason/engine/**/spring" rix, + + owner @{HOME}/.spring/ rw, + owner @{HOME}/.spring/** rw, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/statm r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + owner @{PROC}/@{pid}/oom_{,score_}adj r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj w, + @{PROC}sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + + owner /dev/shm/.org.chromium.Chromium.* rw, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/pci[0-9]*/**/class r, + @{sys}/devices/virtual/tty/tty0/active r, + + /dev/fuse rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + include if exists +} diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs index 26d468a0..2c674764 100644 --- a/apparmor.d/apt-listbugs +++ b/apparmor.d/apt-listbugs @@ -57,7 +57,7 @@ profile apt-listbugs @{exec_path} { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges index 88d3b92e..7e518a3b 100644 --- a/apparmor.d/apt-listchanges +++ b/apparmor.d/apt-listchanges @@ -29,7 +29,6 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/tar rix, - /{usr/,}bin/hostname rPx, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. @@ -77,7 +76,7 @@ profile apt-listchanges @{exec_path} { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 36e24ecf..86af9c29 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -59,7 +59,7 @@ profile calibre @{exec_path} { capability sys_ptrace, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, /{usr/,}bin/python3.[0-9]* r, diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook index f6589f15..5d5ccf7a 100644 --- a/apparmor.d/check-support-status-hook +++ b/apparmor.d/check-support-status-hook @@ -92,7 +92,7 @@ profile check-support-status-hook @{exec_path} { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script index 270c6a6a..b4606304 100644 --- a/apparmor.d/dhclient-script +++ b/apparmor.d/dhclient-script @@ -32,7 +32,7 @@ profile dhclient-script @{exec_path} { # To remove the following error: # /sbin/dhclient-script: 133: hostname: Permission denied - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, # To read scripts /etc/dhcp/ r, diff --git a/apparmor.d/discord b/apparmor.d/discord index 9fecb4b4..4d8a63b6 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -43,7 +43,7 @@ profile discord @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure index d25c805e..9f9f6730 100644 --- a/apparmor.d/dpkg-preconfigure +++ b/apparmor.d/dpkg-preconfigure @@ -50,7 +50,7 @@ profile dpkg-preconfigure @{exec_path} { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/ffmpeg b/apparmor.d/ffmpeg index 87da62b1..9abdf178 100644 --- a/apparmor.d/ffmpeg +++ b/apparmor.d/ffmpeg @@ -59,6 +59,11 @@ profile ffmpeg @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + @{exec_path} mr, # Which files ffmpeg should be able to open @@ -69,7 +74,6 @@ profile ffmpeg @{exec_path} { /media/ r, owner /media/**/ r, owner /{home,media}/**.@{ffmpeg_ext}{,.[0-9]*} rw, - owner /media/Grafi/* rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 0e13c1be..9c172af7 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -46,7 +46,7 @@ profile firefox @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot index adf08ad0..79b8e7db 100644 --- a/apparmor.d/flameshot +++ b/apparmor.d/flameshot @@ -36,8 +36,8 @@ profile flameshot @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, - deny network netlink dgram, + network netlink raw, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index 096f9e14..b95eb20b 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -47,7 +47,7 @@ profile freetube @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/frontend b/apparmor.d/frontend index 2640a990..39d2da1e 100644 --- a/apparmor.d/frontend +++ b/apparmor.d/frontend @@ -76,7 +76,7 @@ profile frontend @{exec_path} flags=(complain) { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount index 2516a35a..dec183d3 100644 --- a/apparmor.d/fusermount +++ b/apparmor.d/fusermount @@ -41,9 +41,13 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.*} -> /media/*/, + mount fstype={fuse,fuse.*} -> /media/*/*/, # For MTP mount -> /, + # For AppImage + mount fstype={fuse,fuse.*} -> /tmp/.mount_*/, + # For GVFS mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, @@ -52,6 +56,7 @@ profile fusermount @{exec_path} { umount @{HOME}/*/*/, umount @{HOME}/.cache/**/, umount /media/*/, + umount /tmp/.mount_*/, umount @{run}/user/[0-9]*/**/, # Image files to be mounted @@ -60,6 +65,10 @@ profile fusermount @{exec_path} { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + # AppImage files + owner @{HOME}/**.AppImage r, + owner /media/*/**.AppImage r, + /etc/fuse.conf r, /dev/fuse rw, diff --git a/apparmor.d/git b/apparmor.d/git index d03f128f..e4619a75 100644 --- a/apparmor.d/git +++ b/apparmor.d/git @@ -15,7 +15,14 @@ include @{BUILD_DIR} = /media/debuilder/ -@{exec_path} = /{usr/,}bin/git +@{exec_path} = /{usr/,}bin/git +@{exec_path} += /{usr/,}bin/git-* +@{exec_path} += /{usr/,}lib/git-core/git +@{exec_path} += /{usr/,}lib/git-core/git-* +@{exec_path} += /usr/libexec/git-core/git +@{exec_path} += /usr/libexec/git-core/git-* +@{exec_path} += /usr/libexec/git-core/mergetools/* + profile git @{exec_path} { include include @@ -27,10 +34,7 @@ profile git @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} mr, - - /{usr/,}lib/git-core/git rix, - /{usr/,}lib/git-core/git-* rix, + @{exec_path} mrix, # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # the most similar commands, which it thinks can be used instead. Git binaries are all under @@ -159,8 +163,8 @@ profile git @{exec_path} { owner @{HOME}/.fzf/plugin/fzf.vim r, # The git repository files - owner /media/debuilder/ r, - owner /media/debuilder/** rw, + owner @{BUILD_DIR}/ r, + owner @{BUILD_DIR}/** rw, } diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index 10797841..d5f3f9f7 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -49,7 +49,7 @@ profile google-chrome-chrome @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin index e241d52b..b23b0745 100644 --- a/apparmor.d/gpartedbin +++ b/apparmor.d/gpartedbin @@ -30,8 +30,8 @@ profile gpartedbin @{exec_path} { # will remain in use. You should reboot now before making further changes. capability sys_admin, - # When gparted is started via pkexec. - #capability dac_read_search, + # + capability dac_read_search, # Needed? (##FIXME##) capability sys_rawio, diff --git a/apparmor.d/gvfs-udisks2-volume-monitor b/apparmor.d/gvfs-udisks2-volume-monitor index 6ef3af94..46e642ab 100644 --- a/apparmor.d/gvfs-udisks2-volume-monitor +++ b/apparmor.d/gvfs-udisks2-volume-monitor @@ -17,6 +17,7 @@ include @{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include @@ -47,18 +48,19 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { @{HOME}/*/*/**/ r, @{HOME}/bluetooth/ r, - owner @{HOME}/.local/share/mime/treemagic r, - /usr/share/mime/treemagic r, + / r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @{run}/mount/utab r, + @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, + @{PROC}/locks r, include if exists } diff --git a/apparmor.d/gvfsd b/apparmor.d/gvfsd index 854c1d4e..7ba4a2c4 100644 --- a/apparmor.d/gvfsd +++ b/apparmor.d/gvfsd @@ -23,8 +23,8 @@ profile gvfsd @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, # Don't strip env here. - /{usr/,}lib/gvfs/gvfsd-* rcx -> backends, - /usr/libexec/gvfsd-* rcx -> backends, + /{usr/,}lib/gvfs/gvfsd-* rPx, + /usr/libexec/gvfsd-* rPx, /usr/share/gvfs/{,**} r, @@ -32,42 +32,5 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - - profile backends { - include - include - include - include - include - include - include - include - - mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, - - /{usr/,}lib/gvfs/gvfsd-* mr, - /usr/libexec/gvfsd-* mr, - - /{usr/,}bin/ssh rPx, - /usr/bin/fusermount{,3} rPx, - - /dev/ptmx rw, - /dev/fuse rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - owner @{run}/samba/ rw, - @{run}/mount/utab r, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - include - owner @{run}/user/[0-9]*/dconf/ rw, - owner @{run}/user/[0-9]*/dconf/user rw, - - } - include if exists } diff --git a/apparmor.d/gvfsd-admin b/apparmor.d/gvfsd-admin new file mode 100644 index 00000000..19a2d0f6 --- /dev/null +++ b/apparmor.d/gvfsd-admin @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-admin +@{exec_path} += /usr/libexec/gvfsd-admin +profile gvfsd-admin @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-afc b/apparmor.d/gvfsd-afc new file mode 100644 index 00000000..fc462918 --- /dev/null +++ b/apparmor.d/gvfsd-afc @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afc +@{exec_path} += /usr/libexec/gvfsd-afc +profile gvfsd-afc @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-afp b/apparmor.d/gvfsd-afp new file mode 100644 index 00000000..0cad503c --- /dev/null +++ b/apparmor.d/gvfsd-afp @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp +@{exec_path} += /usr/libexec/gvfsd-afp +profile gvfsd-afp @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-afp-browse b/apparmor.d/gvfsd-afp-browse new file mode 100644 index 00000000..9c32b00a --- /dev/null +++ b/apparmor.d/gvfsd-afp-browse @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp-browse +@{exec_path} += /usr/libexec/gvfsd-afp-browse +profile gvfsd-afp-browse @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-archive b/apparmor.d/gvfsd-archive new file mode 100644 index 00000000..5b0e8b46 --- /dev/null +++ b/apparmor.d/gvfsd-archive @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-archive +@{exec_path} += /usr/libexec/gvfsd-archive +profile gvfsd-archive @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner /**.tar r, + owner /**.tar.gz r, + owner /**.zip r, + + include if exists +} diff --git a/apparmor.d/gvfsd-burn b/apparmor.d/gvfsd-burn new file mode 100644 index 00000000..024a4c33 --- /dev/null +++ b/apparmor.d/gvfsd-burn @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-burn +@{exec_path} += /usr/libexec/gvfsd-burn +profile gvfsd-burn @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-cdda b/apparmor.d/gvfsd-cdda new file mode 100644 index 00000000..ad3575c1 --- /dev/null +++ b/apparmor.d/gvfsd-cdda @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-cdda +@{exec_path} += /usr/libexec/gvfsd-cdda +profile gvfsd-cdda @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-computer b/apparmor.d/gvfsd-computer new file mode 100644 index 00000000..0954ae2a --- /dev/null +++ b/apparmor.d/gvfsd-computer @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-computer +@{exec_path} += /usr/libexec/gvfsd-computer +profile gvfsd-computer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-dav b/apparmor.d/gvfsd-dav new file mode 100644 index 00000000..836ba8e8 --- /dev/null +++ b/apparmor.d/gvfsd-dav @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dav +@{exec_path} += /usr/libexec/gvfsd-dav +profile gvfsd-dav @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-dnssd b/apparmor.d/gvfsd-dnssd new file mode 100644 index 00000000..4e7b1eb8 --- /dev/null +++ b/apparmor.d/gvfsd-dnssd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-dnssd +@{exec_path} += /usr/libexec/gvfsd-dnssd +profile gvfsd-dnssd @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-ftp b/apparmor.d/gvfsd-ftp new file mode 100644 index 00000000..0bba1d98 --- /dev/null +++ b/apparmor.d/gvfsd-ftp @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-ftp +@{exec_path} += /usr/libexec/gvfsd-ftp +profile gvfsd-ftp @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include if exists +} diff --git a/apparmor.d/gvfsd-fuse b/apparmor.d/gvfsd-fuse new file mode 100644 index 00000000..2f741a2d --- /dev/null +++ b/apparmor.d/gvfsd-fuse @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse +@{exec_path} += /usr/libexec/gvfsd-fuse +profile gvfsd-fuse @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/fusermount{,3} rPx, + + mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, + + /dev/fuse rw, + + include if exists +} diff --git a/apparmor.d/gvfsd-google b/apparmor.d/gvfsd-google new file mode 100644 index 00000000..badf8bcb --- /dev/null +++ b/apparmor.d/gvfsd-google @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-google +@{exec_path} += /usr/libexec/gvfsd-google +profile gvfsd-google @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-gphoto2 b/apparmor.d/gvfsd-gphoto2 new file mode 100644 index 00000000..7b40c49f --- /dev/null +++ b/apparmor.d/gvfsd-gphoto2 @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-gphoto2 +@{exec_path} += /usr/libexec/gvfsd-gphoto2 +profile gvfsd-gphoto2 @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-http b/apparmor.d/gvfsd-http new file mode 100644 index 00000000..52f8263b --- /dev/null +++ b/apparmor.d/gvfsd-http @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-http +@{exec_path} += /usr/libexec/gvfsd-http +profile gvfsd-http @{exec_path} { + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include if exists +} diff --git a/apparmor.d/gvfsd-localtest b/apparmor.d/gvfsd-localtest new file mode 100644 index 00000000..60546d9d --- /dev/null +++ b/apparmor.d/gvfsd-localtest @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-localtest +@{exec_path} += /usr/libexec/gvfsd-localtest +profile gvfsd-localtest @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-mtp b/apparmor.d/gvfsd-mtp new file mode 100644 index 00000000..43fd24ae --- /dev/null +++ b/apparmor.d/gvfsd-mtp @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-mtp +@{exec_path} += /usr/libexec/gvfsd-mtp +profile gvfsd-mtp @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include if exists +} diff --git a/apparmor.d/gvfsd-network b/apparmor.d/gvfsd-network new file mode 100644 index 00000000..23bb13f9 --- /dev/null +++ b/apparmor.d/gvfsd-network @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-network +@{exec_path} += /usr/libexec/gvfsd-network +profile gvfsd-network @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-nfs b/apparmor.d/gvfsd-nfs new file mode 100644 index 00000000..fe91c674 --- /dev/null +++ b/apparmor.d/gvfsd-nfs @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-nfs +@{exec_path} += /usr/libexec/gvfsd-nfs +profile gvfsd-nfs @{exec_path} { + include + include + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfsd-recent b/apparmor.d/gvfsd-recent new file mode 100644 index 00000000..4d61a109 --- /dev/null +++ b/apparmor.d/gvfsd-recent @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-recent +@{exec_path} += /usr/libexec/gvfsd-recent +profile gvfsd-recent @{exec_path} { + include + + @{exec_path} mr, + + owner @{HOME}/.local/share/recently-used.xbel r, + + include if exists +} diff --git a/apparmor.d/gvfsd-sftp b/apparmor.d/gvfsd-sftp new file mode 100644 index 00000000..372b5d4a --- /dev/null +++ b/apparmor.d/gvfsd-sftp @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-sftp +@{exec_path} += /usr/libexec/gvfsd-sftp +profile gvfsd-sftp @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/fd/ r, + + /dev/ptmx rw, + + /{usr/,}bin/ssh rPx, + + include if exists +} diff --git a/apparmor.d/gvfsd-smb b/apparmor.d/gvfsd-smb new file mode 100644 index 00000000..ab0df74d --- /dev/null +++ b/apparmor.d/gvfsd-smb @@ -0,0 +1,39 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb +@{exec_path} += /usr/libexec/gvfsd-smb +profile gvfsd-smb @{exec_path} { + include + include + + network netlink raw, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/samba/smb.conf r, + + include if exists +} diff --git a/apparmor.d/gvfsd-smb-browse b/apparmor.d/gvfsd-smb-browse new file mode 100644 index 00000000..70c02be6 --- /dev/null +++ b/apparmor.d/gvfsd-smb-browse @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb-browse +@{exec_path} += /usr/libexec/gvfsd-smb-browse +profile gvfsd-smb-browse @{exec_path} { + include + + network netlink raw, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/samba/smb.conf r, + + include if exists +} diff --git a/apparmor.d/gvfsd-trash b/apparmor.d/gvfsd-trash new file mode 100644 index 00000000..3fb4fc13 --- /dev/null +++ b/apparmor.d/gvfsd-trash @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-trash +@{exec_path} += /usr/libexec/gvfsd-trash +profile gvfsd-trash @{exec_path} { + include + include + include + include + + # When mounting a SMB share + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + @{run}/mount/utab r, + + include if exists +} diff --git a/apparmor.d/gzdoom b/apparmor.d/gzdoom new file mode 100644 index 00000000..93b507bc --- /dev/null +++ b/apparmor.d/gzdoom @@ -0,0 +1,102 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /usr/games/gzdoom +@{exec_path} += /opt/gzdoom/gzdoom +profile gzdoom @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + ptrace (trace) peer=@{profile_name}, + + @{exec_path} mrix, + + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/zsh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/xmessage rix, + /{usr/,}bin/gdb rix, + /{usr/,}bin/iconv rix, + + /opt/gzdoom/ r, + /opt/gzdoom/** mr, + + /etc/gdb/gdbinit.d/ r, + /etc/gdb/gdbinit r, + + /usr/share/gdb/{,**} r, + /usr/share/gcc/{,**} r, + deny /usr/share/gdb/{,**} w, + deny /usr/share/gcc/{,**} w, + + /etc/zsh/zshenv r, + + /etc/X11/app-defaults/* r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r, + + owner @{HOME}/ r, + owner @{HOME}/.config/gzdoom/ rw, + owner @{HOME}/.config/gzdoom/** rw, + + owner @{HOME}/.config/zdoom/ rw, + owner @{HOME}/.config/zdoom/** rwk, + + owner @{HOME}/gzdoom-crash.log rw, + + owner @{HOME}/gdb-respfile-* rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/mem r, + owner @{PROC}/@{pids}/task/@{tid}/stat r, + owner @{PROC}/@{pids}/task/@{tid}/comm r, + owner @{PROC}/@{pids}/task/@{tid}/maps r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/cmdline r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{sys}/class/input/ r, + @{sys}/class/hidraw/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/**/sound/**/{uevent,ev,rel,key,abs} r, + @{sys}/devices/**/input/**/{uevent,ev,rel,key,abs} r, + + @{run}/udev/data/+sound:* r, + @{run}/udev/data/+input:* r, + @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c240:[0-9]* r, # For USB HID + + include if exists +} diff --git a/apparmor.d/htop b/apparmor.d/htop index df7f9ef5..02c1c616 100644 --- a/apparmor.d/htop +++ b/apparmor.d/htop @@ -29,7 +29,7 @@ profile htop @{exec_path} { capability sys_ptrace, - # Needed? + # Needed? (for system state) audit deny capability net_admin, signal (send), @@ -45,6 +45,10 @@ profile htop @{exec_path} { @{PROC}/tty/drivers r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/diskstats r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @@ -69,11 +73,25 @@ profile htop @{exec_path} { @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/io r, @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/net/dev r, owner @{PROC}/@{pid}/smaps_rollup r, @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, + @{sys}/class/hwmon/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/**/{uevent,type,online} r, + @{sys}/devices/**/hwmon/ r, + @{sys}/devices/**/hwmon/{name,temp*} r, + @{sys}/devices/**/hwmon/**/ r, + @{sys}/devices/**/hwmon/**/{name,temp*} r, + @{sys}/devices/**/hwmon[0-9]*/ r, + @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r, + @{sys}/devices/**/hwmon[0-9]*/**/ r, + @{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r, owner @{HOME}/.config/htop/ rw, owner @{HOME}/.config/htop/htoprc rw, @@ -85,5 +103,8 @@ profile htop @{exec_path} { # htop[]: Oh, oh, it's an error! possibly I die! /dev/tty[0-9]* rw, + /etc/sensors.d/ r, + /etc/sensors3.conf r, + include if exists } diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index ddfdc410..b1ae0489 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -38,8 +38,8 @@ profile keepassxc @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, - deny network netlink raw, + network netlink dgram, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy index 199ce6c7..2c843714 100644 --- a/apparmor.d/keepassxc-proxy +++ b/apparmor.d/keepassxc-proxy @@ -25,7 +25,7 @@ profile keepassxc-proxy @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/kodi b/apparmor.d/kodi index 13db35e9..556d4c4a 100644 --- a/apparmor.d/kodi +++ b/apparmor.d/kodi @@ -60,13 +60,6 @@ profile kodi @{exec_path} { /usr/share/icons/*/index.theme r, /etc/mime.types r, - # Media lib - / r, - /media/ r, - /media/{Kabi,Zami}/ r, - /media/Kabi/mp3/{,**} r, - /media/Zami/{Film,Serial}/{,**} r, - /etc/timezone r, /etc/fstab r, diff --git a/apparmor.d/mount b/apparmor.d/mount index e714794d..d1d2b982 100644 --- a/apparmor.d/mount +++ b/apparmor.d/mount @@ -38,7 +38,9 @@ profile mount @{exec_path} flags=(complain) { @{exec_path} mr, /{usr/,}bin/ntfs-3g rPx, - /{usr/,}sbin/mount.cifs rPx, + /{usr/,}bin/lowntfs-3g rPx, + /{usr/,}bin/sshfs rPx, + /{usr/,}sbin/mount.* rPx, # Mount points /media/*/ r, diff --git a/apparmor.d/mount-cifs b/apparmor.d/mount-cifs new file mode 100644 index 00000000..2057a4fb --- /dev/null +++ b/apparmor.d/mount-cifs @@ -0,0 +1,57 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020-2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}sbin/mount.cifs +profile mount-cifs @{exec_path} flags=(complain) { + include + include + + # To mount anything. + capability sys_admin, + + # (#FIXME#) + capability setpcap, + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/systemd-ask-password rPUx, + + /etc/fstab r, + + owner @{HOME}/.smbcredentials r, + + # Mount points + /media/*/ r, + /media/*/*/ r, + /mnt/ r, + /mnt/*/ r, + + # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> /media/*/, + mount fstype=cifs -> /media/*/*/, + mount fstype=cifs -> /mnt/, + mount fstype=cifs -> /mnt/*/, + + umount /media/*/, + umount /media/*/*/, + umount /mnt/, + umount /mnt/*/, + + include if exists +} diff --git a/apparmor.d/mount-nfs b/apparmor.d/mount-nfs new file mode 100644 index 00000000..ce466d89 --- /dev/null +++ b/apparmor.d/mount-nfs @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2019-2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}sbin/mount.nfs +profile mount-nfs @{exec_path} flags=(complain) { + include + include + + # To be able to mount anything + capability sys_admin, + + capability chown, + capability setgid, + capability setuid, + capability net_bind_service, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}sbin/start-statd rix, + /{usr/,}bin/flock rix, + + /usr/bin/systemctl rPx -> child-systemctl, + + /etc/fstab r, + /etc/netconfig r, + /etc/rpc r, + + @{PROC}/filesystems r, + owner @{PROC}/@{pid}/mountinfo r, + + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, + + owner @{run}/rpc.statd.lock wk, + + # Mount points + /media/*/ r, + /media/*/*/ r, + /mnt/ r, + /mnt/*/ r, + + # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=nfs -> /media/*/, + mount fstype=nfs -> /media/*/*/, + mount fstype=nfs -> /mnt/, + mount fstype=nfs -> /mnt/*/, + + umount /media/*/, + umount /media/*/*/, + umount /mnt/, + umount /mnt/*/, + + include if exists +} diff --git a/apparmor.d/mpsyt b/apparmor.d/mpsyt index 9009cc1f..cd7cabe0 100644 --- a/apparmor.d/mpsyt +++ b/apparmor.d/mpsyt @@ -53,10 +53,6 @@ profile mpsyt @{exec_path} { # Cache files owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw, - # Download DIR - /media/Kabi/YT/ r, - /media/Kabi/YT/** rw, - /etc/inputrc r, /etc/mime.types r, diff --git a/apparmor.d/mpv b/apparmor.d/mpv index c244af25..02ec839c 100644 --- a/apparmor.d/mpv +++ b/apparmor.d/mpv @@ -85,7 +85,7 @@ profile mpv @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/nemo b/apparmor.d/nemo new file mode 100644 index 00000000..9456ec2b --- /dev/null +++ b/apparmor.d/nemo @@ -0,0 +1,95 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/nemo +profile nemo @{exec_path} { + include + include + include + include + include + include + + # This should be tightened when the "profile has merged rule with conflicting x modifiers" error + # will be fixed. (#FIXME#) + include + include + + # For root window + deny capability dac_read_search, + deny capability dac_override, + + # Needed? + deny capability sys_nice, + + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /{usr/,}lib/@{multiarch}/nemo/** mrix, + + /usr/libexec/gvfsd-* rPx, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + + # To read/write files in the system. The read permission is granted for all files, the write + # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in + # the list. + / r, + /boot/ r, + /boot/** r, + owner /boot/** rw, + /etc/ r, + /etc/** r, + owner /etc/** rw, + /home/ r, + /home/** r, + owner /home/** rw, + /lost+found/ r, + /lost+found/** r, + owner /lost+found/** rw, + /media/ r, + /media/** r, + owner /media/** rw, + /mnt/ r, + /mnt/** r, + owner /mnt/** rw, + /opt/ r, + /opt/** r, + owner /opt/** rw, + /root/ r, + /root/** r, + owner /root/** rw, + /run/ r, + /run/** r, + owner /run/** rw, + /srv/ r, + /srv/** r, + owner /srv/** rw, + /tmp/ r, + /tmp/** r, + owner /tmp/** rw, + /usr/ r, + /usr/** r, + owner /usr/** rw, + /var/ r, + /var/** r, + owner /var/** rw, + + include if exists +} diff --git a/apparmor.d/openbox b/apparmor.d/openbox index 9d7f102b..d33a208d 100644 --- a/apparmor.d/openbox +++ b/apparmor.d/openbox @@ -46,6 +46,7 @@ profile openbox @{exec_path} { owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/openbox/ rw, owner @{HOME}/.cache/openbox/openbox.log rw, + owner @{HOME}/.cache/openbox/sessions/ rw, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/opera b/apparmor.d/opera index 6db15073..11f4e585 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -52,7 +52,7 @@ profile opera @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update index 46b8acf9..e1ac53f4 100644 --- a/apparmor.d/pam-auth-update +++ b/apparmor.d/pam-auth-update @@ -59,7 +59,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/ps b/apparmor.d/ps index 7bdccc51..c0dba909 100644 --- a/apparmor.d/ps +++ b/apparmor.d/ps @@ -54,6 +54,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/vm/min_free_kbytes r, @{PROC}/tty/drivers r, @{PROC}/uptime r, diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index 76fb629b..222fd78c 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -124,7 +124,7 @@ profile psi-plus @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - deny /dev/dri/card[0-9]* rw, + /dev/dri/card[0-9]* rw, } @@ -137,7 +137,7 @@ profile psi-plus @{exec_path} { owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, # file_inherit - deny /dev/dri/card[0-9]* rw, + /dev/dri/card[0-9]* rw, } diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 0a3f9597..77e805c3 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -39,8 +39,8 @@ profile quiterss @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, - deny network netlink dgram, + network netlink raw, + network netlink dgram, @{exec_path} mr, diff --git a/apparmor.d/repo b/apparmor.d/repo index 6f22d9e7..7313d123 100644 --- a/apparmor.d/repo +++ b/apparmor.d/repo @@ -13,6 +13,8 @@ abi , include +@{ANDROID_SOURCE_DIR} = /media/Android/ + @{exec_path} = /{usr/,}bin/repo profile repo @{exec_path} { include @@ -44,8 +46,8 @@ profile repo @{exec_path} { /{usr/,}bin/gpg rCx -> gpg, # Android source dir - owner /media/Android/** rwkl -> /media/Android/**, - owner /media/Android/**/.repo/repo/main.py rix, + owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**, + owner @{ANDROID_SOURCE_DIR}/**/.repo/repo/main.py rix, owner @{HOME}/.repoconfig/{,**} rw, owner @{HOME}/.repo_.gitconfig.json rw, diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer index 266a46c2..bf3e4bbe 100644 --- a/apparmor.d/smplayer +++ b/apparmor.d/smplayer @@ -89,7 +89,7 @@ profile smplayer @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink dgram, + network netlink dgram, @{exec_path} mrix, diff --git a/apparmor.d/spflashtool b/apparmor.d/spflashtool index 4b4af08f..e7f310ba 100644 --- a/apparmor.d/spflashtool +++ b/apparmor.d/spflashtool @@ -16,8 +16,10 @@ include @{exec_path} = /opt/SPFlashTool/flash_tool{,.sh} profile spflashtool @{exec_path} { include + include include include + include include @{exec_path} mrix, @@ -38,33 +40,18 @@ profile spflashtool @{exec_path} { owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w, # For reading the scatter.txt file - / r, - /media/ r, - owner /media/Android/{,**/} r, - owner /media/Android/**scatter.txt r, - - # For backups - owner /media/Android/smartphones_flash_backup/ r, - owner /media/Android/smartphones_flash_backup/** rw, + owner /**/scatter.txt r, owner @{HOME}/.config/Trolltech.conf rwk, owner @{HOME}/.config/MTK/ rw, owner @{HOME}/.config/MTK/Clipper.conf rwk, - owner @{HOME}/.Xauthority r, - - owner @{HOME}/.icons/default/index.theme r, - /etc/X11/cursors/*.theme r, - /usr/share/icons/*/cursors/default r, - /usr/share/icons/*/index.theme rk, - /usr/share/icons/*/cursors/* r, - /dev/ r, # For reading/writing from/to phone flash memory /dev/ttyACM[0-9]* rw, - /sys/devices/pci[0-9]*/**/{idVendor,idProduct} r, + @{sys}/devices/pci[0-9]*/**/{idVendor,idProduct} r, # Silence the noise /opt/SPFlashTool/** w, diff --git a/apparmor.d/sshfs b/apparmor.d/sshfs new file mode 100644 index 00000000..bd083143 --- /dev/null +++ b/apparmor.d/sshfs @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/sshfs +profile sshfs @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + /{usr/,}bin/ssh rPx, + /{usr/,}bin/fusermount{,3} rPx, + + /dev/fuse rw, + + mount fstype=fuse.sshfs -> @{HOME}/*/, + mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> /media/*/, + mount fstype=fuse.sshfs -> /media/*/*/, + + include if exists +} diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index 1b88eedc..b2d993a8 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -13,6 +13,8 @@ abi , include +@{MEDIA_LIB} = /media/*/mp3/ + @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { include @@ -54,9 +56,13 @@ profile strawberry @{exec_path} { # Media library / r, /media/ r, - owner /media/Kabi/ r, - owner /media/Kabi/mp3/ r, - owner /media/Kabi/mp3/** rw, + owner /media/*/ r, + owner @{MEDIA_LIB}/ r, + owner @{MEDIA_LIB}/** rw, + + # Playlists + owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, + owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw, owner @{HOME}/ r, owner @{HOME}/.config/strawberry/ rw, diff --git a/apparmor.d/strawberry-tagreader b/apparmor.d/strawberry-tagreader index d92b5ee5..e5d5de56 100644 --- a/apparmor.d/strawberry-tagreader +++ b/apparmor.d/strawberry-tagreader @@ -13,6 +13,8 @@ abi , include +@{MEDIA_LIB} = /media/*/mp3/ + @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { include @@ -27,8 +29,8 @@ profile strawberry-tagreader @{exec_path} { @{exec_path} mr, # Media library - owner /media/*/mp3/ r, - owner /media/*/mp3/** rw, + owner @{MEDIA_LIB}/ r, + owner @{MEDIA_LIB}/** rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing index 5b404dcd..9c0b79bc 100644 --- a/apparmor.d/syncthing +++ b/apparmor.d/syncthing @@ -13,6 +13,9 @@ abi , include +@{SYNC_DIR} = @{HOME}/Sync/ +@{SYNC_DIR} += /media/*/syncthing/ + @{exec_path} = /{usr/,}bin/syncthing profile syncthing @{exec_path} { include @@ -35,9 +38,7 @@ profile syncthing @{exec_path} { owner @{HOME}/.config/syncthing/ rw, owner @{HOME}/.config/syncthing/** rwk, - # The sync folders - #owner @{HOME}/Sync/{,**} rw, - owner /media/*/syncthing/{,**} rw, + @{SYNC_DIR}/{,**} rw, /etc/mime.types r, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index f59a359d..322ad1de 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -46,7 +46,7 @@ profile thunderbird @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, # The following rules are needed only when the kernel.unprivileged_userns_clone option is set # to "1". diff --git a/apparmor.d/ucf b/apparmor.d/ucf index 8d25e496..493408f2 100644 --- a/apparmor.d/ucf +++ b/apparmor.d/ucf @@ -113,7 +113,7 @@ profile ucf @{exec_path} flags=(complain) { include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/umount b/apparmor.d/umount index 22caa74c..91b2517c 100644 --- a/apparmor.d/umount +++ b/apparmor.d/umount @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}bin/umount profile umount @{exec_path} flags=(complain) { include + include # To be able to umount anything # umount2("/mnt", 0) = -1 EPERM (Operation not permitted) @@ -33,9 +34,12 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}sbin/umount.udisks2 rPx, + /{usr/,}sbin/umount.* rPx, # Mount points + @{HOME}/ r, + @{HOME}/*/ r, + @{HOME}/*/*/ r, /media/*/ r, /media/*/*/ r, /mnt/ r, diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd index de3bf57e..28a88615 100644 --- a/apparmor.d/upowerd +++ b/apparmor.d/upowerd @@ -13,7 +13,8 @@ abi , include -@{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd +@{exec_path} = /{usr/,}lib/upower/upowerd +@{exec_path} += /usr/libexec/upowerd profile upowerd @{exec_path} { include include diff --git a/apparmor.d/vlc b/apparmor.d/vlc index 4bd53476..1502d093 100644 --- a/apparmor.d/vlc +++ b/apparmor.d/vlc @@ -84,7 +84,7 @@ profile vlc @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/wget b/apparmor.d/wget index 505f4ede..acdc4785 100644 --- a/apparmor.d/wget +++ b/apparmor.d/wget @@ -30,7 +30,7 @@ profile wget @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver index 1bf03394..dc6d52b1 100644 --- a/apparmor.d/xdg-screensaver +++ b/apparmor.d/xdg-screensaver @@ -37,7 +37,7 @@ profile xdg-screensaver @{exec_path} { /{usr/,}bin/xprop rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xset rPx, - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rix, /dev/dri/card[0-9] rw,