From d480156e09234252cfa67afa8060878e11ddcfea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Jul 2024 23:46:06 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/mesa.d/complete | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gtk | 5 +++++ apparmor.d/groups/gnome/gnome-session-binary | 1 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-software | 8 ++++---- apparmor.d/groups/gpg/dirmngr | 7 +++++++ apparmor.d/groups/gpg/gpg | 6 +++--- apparmor.d/groups/gpg/gpg-agent | 14 ++++++++------ apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/plasma-discover | 8 ++++---- apparmor.d/groups/systemd/networkctl | 6 +++++- apparmor.d/groups/systemd/systemd-homed | 1 + apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/groups/systemd/systemd-networkd | 2 ++ apparmor.d/profiles-a-f/aa-enforce | 3 +++ apparmor.d/profiles-a-f/agetty | 1 + apparmor.d/profiles-a-f/flatpak | 6 +++--- apparmor.d/profiles-a-f/flatpak-system-helper | 8 ++++---- apparmor.d/profiles-s-z/spotify | 12 ++++++------ docs/install.md | 2 +- 20 files changed, 64 insertions(+), 33 deletions(-) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index ed3306e4..976b6cc4 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -11,4 +11,6 @@ owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, + owner @{user_cache_dirs}/mesa_shader_cache/marker rw, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index a06b898d..c21b955d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -61,6 +61,11 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{run}/mount/utab r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 46a1b22d..c53f26eb 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -126,6 +126,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/games/** PUx, /dev/tty rw, + /dev/tty@{int} rw, include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8baf75c4..5e469e62 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -339,6 +339,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 9bdb0cfc..ddb95f1b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -86,8 +86,8 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, @@ -125,8 +125,8 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index d2afa346..a0c131bc 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -39,6 +39,13 @@ profile dirmngr @{exec_path} { owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw, + # FIXME: Needed by dirmngr@.service + owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/S.dirmngr rw, + owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw, + owner /etc/pacman.d/gnupg/crls.d/ rw, + owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 4fcc8946..c108215f 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -60,10 +60,10 @@ profile gpg @{exec_path} { owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, #aa:exclude ubuntu - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{tmp}/tmp.[a-zA-Z0-9]* rw, + owner /tmp/@{int}@{int} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 336d491b..f7580a8a 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -58,6 +58,13 @@ profile gpg-agent @{exec_path} { owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, + #aa:only pacman + owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, + owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, + owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /etc/pacman.d/gnupg/sshcontrol r, + owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, @@ -70,17 +77,12 @@ profile gpg-agent @{exec_path} { owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, + #aa:only zypper owner /var/tmp/zypp.*/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{tmp}/tmp.*/gnupg/ rw, - owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, - owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, - owner @{tmp}/tmp.*/gnupg/sshcontrol r, - @{PROC}/@{pid}/fd/ r, # Silencer diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 9b305e5f..db870bd8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -71,7 +71,7 @@ profile DiscoverNotifier @{exec_path} { @{tmp}/ r, owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 5d088402..54211045 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -86,8 +86,8 @@ profile plasma-discover @{exec_path} { owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, owner @{tmp}/#@{int} rw, owner @{tmp}/discover-@{rand6}/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -108,8 +108,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index f570d5ea..4c841e97 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -43,6 +43,8 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, + owner /var/lib/systemd/network/ r, + # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, @@ -60,8 +62,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/net/**/uevent r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a9f9d7fb..2fae7144 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -48,6 +48,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { /etc/systemd/homed.conf r, /etc/skel/{,**} r, + /var/cache/systemd/home/{,**} rw, /var/lib/systemd/home/{,**} rw, / r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 9686f186..39fcd988 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -53,6 +53,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/dmi/entries/*/raw r, + /dev/vsock r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index d8ebf39b..18f1e6ab 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -52,6 +52,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { / r, + owner /var/lib/systemd/network/ r, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, @{run}/systemd/notify rw, diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index a6f3d2b9..2028e713 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -29,6 +29,9 @@ profile aa-enforce @{exec_path} { owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, + /tmp/@{rand8} rw, + /tmp/apparmor-bugreport-@{rand8}.txt rw, + owner @{PROC}/@{pid}/fd r, include if exists diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index c15748c6..c1436f9a 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -34,6 +34,7 @@ profile agetty @{exec_path} { /etc/os-release r, /usr/etc/login.defs r, + @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 4d3220a0..8722612d 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, - owner @{tmp}/ostree-gpg-*/{,**} rw, + owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 81a1231c..a2141b11 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -44,8 +44,8 @@ profile flatpak-system-helper @{exec_path} { /var/tmp/flatpak-cache-*/{,**} rw, owner /{var/,}tmp/#@{int} rw, - owner /{var/,}tmp/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, @@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index db2e7ebe..ef939ef0 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -43,16 +43,16 @@ profile spotify @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - - @{PROC}/pressure/* r, + @{PROC}/pressure/* r, + owner @{PROC}/@{pid}/clear_refs w, /dev/tty rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{sys}/bus/ r, + deny @{sys}/bus/*/devices/ r, deny @{sys}/class/*/ r, - deny owner @{PROC}/@{pid}/clear_refs w, + deny @{sys}/devices/@{pci}/usb@{int}/** r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/docs/install.md b/docs/install.md index bf6e65fc..c0807234 100644 --- a/docs/install.md +++ b/docs/install.md @@ -6,7 +6,7 @@ title: Installation To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. - After installation, you need to regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). + After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). !!! danger