diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 5de09824..b39ccc85 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -61,6 +61,7 @@ owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, + /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index a3619b16..609bb521 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -3,9 +3,9 @@ # SPDX-License-Identifier: GPL-2.0-only # Core set of resources for any games on Linux. Runtimes such as sandboxing, -# wine, proton, game launchers should use this abstraction. +# wine, proton, game launchers should use this abstraction. -# This abstraction use the following tunables: +# This abstraction uses the following tunables: # - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") # - @{user_games_dirs} for user specific game directories (eg: steam storage dir) @@ -38,7 +38,7 @@ owner @{user_games_dirs}/ r, owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/{,**} rwkl, + owner @{user_games_dirs}/*/** rwlk, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, @@ -50,11 +50,15 @@ owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/#@{int} rw, + owner @{tmp}/AsyncGPUReadbackPlugin_*.log w, owner @{tmp}/CASESENSITIVETEST@{hex32} rw, owner @{tmp}/crashes/ rw, owner @{tmp}/crashes/** rwk, owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/tmp@{rand6}.tmp rw, + owner @{tmp}/tmp@{rand6}@{h}.tmp rw, + owner @{tmp}/tmp@{rand8}.tmp rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner /dev/shm/mono.@{int} rw, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 4ac0f7f1..e43ca64e 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -6,10 +6,10 @@ owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl, include if exists diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index dc3f9c21..0f3bce39 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -18,19 +18,18 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/mount rCx -> mount, @{bin}/umount rCx -> umount, /etc/fstab r, - # Are all of these needed? (#FIXME#) - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - # @{run}/udev/data/* r, + /etc/apt/sources.list{,.new} rw, + /etc/apt/sources.list~ w, + + /var/lib/apt/lists/** rw, + + /var/lib/apt/cdroms.list{,.new} rw, + /var/lib/apt/cdroms.list~ w, # For cd-roms /media/cdrom@{int}/ r, @@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, - /var/lib/apt/lists/** rw, + # Are all of these needed? (#FIXME#) + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/fd/ r, - /var/lib/apt/cdroms.list{,.new} rw, - /var/lib/apt/cdroms.list~ w, - - /etc/apt/sources.list{,.new} rw, - /etc/apt/sources.list~ w, - profile mount flags=(complain) { include diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index e5e38279..b06eaa51 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -64,7 +64,7 @@ profile dbus-session flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index fb91234b..45b1ff12 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -62,13 +62,9 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { include capability mknod, - # capability sys_module, /etc/nvidia/{current,legacy*,tesla*}/*.conf r, - # @{sys}/module/ipmi_devintf/initstate r, - # @{sys}/module/ipmi_msghandler/initstate r, - # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, deny @{HOME}/.steam/** r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 4f2e8b64..1389b2ee 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -21,7 +21,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, #aa:dbus own bus=system name=org.freedesktop.Accounts @@ -58,24 +58,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/shells r, /etc/sysconfig/displaymanager r, + /var/log/wtmp r, + owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, @{HOME}/ r, owner @{HOME}/.pam_environment r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pids}/loginuid r, - @{PROC}/@{pids}/cmdline r, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/loginuid r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - - # wtmp.d ? - /var/log/wtmp r, - - owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index cee9898b..bca69b9b 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -32,14 +32,14 @@ profile xdg-screensaver @{exec_path} { @{bin}/xset rPx, @{bin}/hostname rix, - /dev/dri/card@{int} rw, - owner @{HOME}/ r, owner @{HOME}/.Xauthority r, owner @{tmp}/xauth-@{int}-_[0-9] r, owner @{run}/user/@{uid}/ r, + /dev/dri/card@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 72f5867a..a210cbd1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -39,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{exec_path} mr, - @{bin}/bwrap rPUx, + @{bin}/bwrap rCx -> bwrap, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @@ -48,9 +48,11 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl, - owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, + owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk, owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -63,6 +65,15 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + profile bwrap flags=(attach_disconnected,complain) { + include + include + + @{bin}/bwrap mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index b2851601..a49fe97b 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -33,6 +33,8 @@ profile gnome-weather @{exec_path} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6ed82086..dc6e8aeb 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -31,38 +31,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff peer=(name=:*, label=systemd-logind), - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member={GrabAccelerators,UngrabAccelerators} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member=AcceleratorActivated - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-rfkill), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-rfkill), - dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 43cb9cad..a7aa93d2 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -32,6 +32,23 @@ profile gpg @{exec_path} { /etc/inputrc r, + #aa:only pacman + /etc/pacman.d/gnupg/gpg.conf r, + /etc/pacman.d/gnupg/pubring.gpg r, + /etc/pacman.d/gnupg/trustdb.gpg r, + + #aa:only apt + owner /etc/apt/keyrings/ rw, + owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, + + owner /var/lib/*/{,.}gnupg/ rw, + owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**, + + # TODO: Remove after zypper profile is created + #aa:only zypper + owner /var/tmp/zypp.@{rand6}/ rw, + owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -45,26 +62,6 @@ profile gpg @{exec_path} { owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, - #aa:only apt - owner /etc/apt/keyrings/ rw, - owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, - - #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, - - owner /var/lib/*/gnupg/ rw, - owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, - - owner /var/lib/*/.gnupg/ rw, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, - - # TODO: Remove after zypper profile is created - #aa:only zypper - owner /var/tmp/zypp.@{rand6}/ rw, - owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, - #aa:exclude ubuntu owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7ef09601..ba4987a3 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -28,12 +28,12 @@ profile arch-audit @{exec_path} { /var/lib/pacman/local/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/pts/@{int} rw, include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index c1bd7fa3..957e521f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,7 +46,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - + # Pacman hooks & install scripts @{sh_path} rix, @{coreutils_path} rix, @@ -64,7 +64,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/ghc-pkg{,-*} rPx, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{bin}/groupadd rPx, @@ -118,9 +117,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files - @{user_pkg_dirs}/ r, - @{user_pkg_dirs}/**/ r, - @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, + @{user_pkg_dirs}/{,**} r, owner /var/lib/pacman/{,**} rwl, owner @{tmp}/alpm_@{rand6}/{,**} rw, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 1dac2be0..296074f5 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -23,8 +23,7 @@ profile ssh @{exec_path} { @{exec_path} mrix, - @{bin}/{,b,d,rb}ash rix, - @{bin}/{c,k,tc,z}sh rix, + @{bin}/@{shells} rUx, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 66e05b5e..a243069c 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -12,7 +12,7 @@ profile ssh-agent-launch @{exec_path} { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rix, + @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, @{bin}/grep rix, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 75934102..66cc3586 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -35,16 +35,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=:*, label=pulseaudio), - dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/* - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), - - dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile} - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu index 44d4098d..40920ebd 100644 --- a/apparmor.d/profiles-a-f/cemu +++ b/apparmor.d/profiles-a-f/cemu @@ -29,18 +29,18 @@ profile cemu @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/Cemu/{,**} rw, owner @{user_share_dirs}/Cemu/{,**} rw, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/statm r, - - owner @{sys}/class/ r, + @{sys}/class/ r, @{sys}/class/input/ r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r, @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/statm r, + /dev/input/ r, /dev/input/event@{int} rw, /dev/input/js@{int} rw, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 6d836c63..4ebe8e46 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -41,7 +41,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/update-secureboot-policy rPUx, @{bin}/zstd rix, - @{lib}/gcc/@{multiarch}/@{int}*/* rix, + @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 8a2ffb79..af7fbd4d 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -101,9 +101,11 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio - deny @{user_share_dirs}/gvfs-metadata/* r, - deny /dev/shm/.org.chromium.Chromium* rw, deny owner @{code_config_dirs}/** rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny /usr/share/nvidia/nvidia-application-profiles-* r, + deny /dev/shm/.org.chromium.Chromium* rw, profile gpg flags=(attach_disconnected) { include @@ -163,11 +165,11 @@ profile git @{exec_path} flags=(attach_disconnected) { profile editor flags=(attach_disconnected) { include include - + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/@{int} rw, owner @{user_projects_dirs}/**/.git/*MSG rw, - + # The git repository files owner @{user_build_dirs}/ r, owner @{user_build_dirs}/** rw, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index da5566f9..5dbce6ae 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -22,6 +22,7 @@ profile gitstatusd @{exec_path} { deny capability dac_read_search, deny capability dac_override, deny owner @{HOME}/.*-store/{,**} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index b3717224..81c52aa1 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,6 +4,12 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only +# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile +# Possible confinement depending of profile architecture: +# - As rix, +# - As rCx -> run-parts, +# - As rPx -> foo-run-parts, + abi , include diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 97100f32..5fc2d65c 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -10,43 +10,30 @@ include @{exec_path} = @{bin}/runuser profile runuser @{exec_path} { include - include include + include include include - # To remove the following errors: - # runuser: cannot set user id: Operation not permitted capability setuid, - - # To remove the following errrors: - # runuser: cannot set groups: Operation not permitted capability setgid, - - # To write records to the kernel auditing log. capability audit_write, - - # Needed? (#FIXME#) capability sys_resource, network netlink raw, @{exec_path} mr, - # Shells to use - @{bin}/{,b,d,rb}ash rpux, - @{bin}/{c,k,tc,z}sh rpux, - - owner @{PROC}/@{pid}/loginuid r, - @{PROC}/1/limits r, + @{bin}/@{shells} rUx, @{etc_ro}/security/limits.d/ r, - /etc/default/runuser r, - # file_inherit owner @{tmp}/debian-security-support.postinst.*/output w, + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 511f32a9..0fe00bc2 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -12,6 +12,7 @@ profile speedtest @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -26,12 +27,10 @@ profile speedtest @{exec_path} { @{bin}/file rix, @{bin}/uname rix, - owner @{PROC}/@{pid}/fd/ r, - - /usr/local/lib/python*/dist-packages/ r, - /etc/magic r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 1847c93d..87afa46e 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -17,10 +17,8 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, - @{lib}/gconv/gconv-modules r, - - owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/cap_last_cap r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 36f4c988..7346ebd6 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -16,7 +16,7 @@ profile ss @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace (read), # unconfined, TODO + ptrace read, network netlink raw, @@ -27,21 +27,20 @@ profile ss @{exec_path} { owner @{tmp}/*.ss rw, owner @{HOME}/*.ss rw, + @{sys}/fs/cgroup/{,**/} r, + @{PROC} r, - @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/net/sockstat r, - owner @{PROC}/@{pids}/net/snmp r, - owner @{PROC}/@{pids}/net/unix r, + @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + owner @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/net/raw r, + owner @{PROC}/@{pids}/net/snmp r, + owner @{PROC}/@{pids}/net/sockstat r, owner @{PROC}/@{pids}/net/tcp r, owner @{PROC}/@{pids}/net/udp r, - - # [e]xtended - owner @{PROC}/@{pids}/mounts r, - @{sys}/fs/cgroup/{,**/} r, + owner @{PROC}/@{pids}/net/unix r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 82deb0d6..d8e0a50c 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -54,7 +54,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, ptrace trace peer=steam, - signal send peer=steam-game, + signal send peer=steam-game-{native,proton}, signal send peer=steam-launcher, signal send peer=steam//journalctl, signal send peer=steam//web, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch index 11c7b76b..b1d820d8 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/profiles-s-z/steam-launch @@ -34,7 +34,7 @@ profile steam-launch @{exec_path} { @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, - @{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, /usr/ r, /usr/local/ r, diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote new file mode 100644 index 00000000..4f256ef2 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote +profile steam-runtime-steam-remote @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + @{runtime_dirs}/** rm, + + owner @{HOME}/.steam/steam.pipe rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 4dd41a7b..31508b64 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -17,7 +17,8 @@ profile uname @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, deny network, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 5b42ab82..3705f0ba 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -35,7 +35,6 @@ profile vipw-vigr @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, - profile editor { include include @@ -43,6 +42,8 @@ profile vipw-vigr @{exec_path} { capability fsetid, /etc/{passwd,shadow,gshadow,group}.edit rw, + + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who index bed53e7e..54b4375b 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/profiles-s-z/who @@ -19,6 +19,7 @@ profile who @{exec_path} { @{exec_path} mr, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists }