From cb30dcc4bc874f9745afe145191be5016df3122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:47:01 +0100 Subject: [PATCH] feat(profile): general update. see #416 --- apparmor.d/groups/cron/crontab | 8 ++++---- apparmor.d/groups/gnome/gnome-shell | 7 +++++-- apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/network/dhcpcd | 14 +++----------- apparmor.d/profiles-g-l/git | 2 +- apparmor.d/profiles-m-r/nft | 6 +++--- apparmor.d/profiles-s-z/udisksd | 3 ++- 7 files changed, 21 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index c1fae96e..3490199a 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -25,6 +25,7 @@ profile crontab @{exec_path} { @{bin}/vim.* rCx -> editor, /etc/cron.{allow,deny} r, + /etc/pam.d/* r, /var/spool/cron/ r, /var/spool/cron/crontabs/ rw, @@ -32,19 +33,18 @@ profile crontab @{exec_path} { owner @{tmp}/crontab.*/{,crontab} rw, - profile editor { include include capability fsetid, + /etc/cron.{allow,deny} r, + /tmp/ r, owner @{tmp}/crontab.*/crontab rw, - # file_inherit - /etc/cron.{allow,deny} r, - + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5e469e62..4e36f102 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /.flatpak-info r, /etc/fstab r, /etc/timezone r, + /etc/tpm2-tss/*.json r, /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, @@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.var/app/**/ r, + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, owner @{user_games_dirs}/**.{png,jpg,svg} r, owner @{user_music_dirs}/**.{png,jpg,svg} r, @@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/vlc/**/*.jpg r, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index b0ff24b5..0f04ae12 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,16 +31,16 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, - /etc/tpm2-tss/* r, + /etc/tpm2-tss/* rk, /var/tmp/ r, /tmp/ r, - owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index e1b039ad..79b7283e 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, - /var/lib/dhcpcd/*.lease{,6} rw, - /var/lib/dhcpcd/secret rw, - /etc/dhcpcd.conf r, /etc/resolv.conf rw, - @{run}/dhcpcd/{.pid,pid} rwk, - @{run}/dhcpcd/{.sock,sock} w, - @{run}/dhcpcd/*.pid wk, - @{run}/dhcpcd/*.sock w, - @{run}/dhcpcd/hook-state/ rw, - @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, - @{run}/dhcpcd/hook-state/resolv.conf/ rw, - @{run}/dhcpcd/unpriv.sock w, + /var/lib/dhcpcd/** rw, + + @{run}/dhcpcd/** rwk, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index e0347900..ba37f7bc 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) peer=aurpublish, + signal send peer=aurpublish, @{exec_path} mrix, diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 50ee826c..1255ca40 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -20,9 +20,9 @@ profile nft @{exec_path} { @{exec_path} mr, - owner /etc/iproute2/** r, - - owner /etc/nftables/**.nft r, + /etc/iproute2/** r, + /etc/nftables.conf r, + /etc/nftables/{,**} r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 36504470..83561941 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw,