feat(profile): general update.

2024-11-14 23:43:56 +01:00 · 2024-07-06 23:46:06 +01:00 · 2024-07-06 23:46:06 +01:00 · d480156e09
commit d480156e09
parent 8b2434c0a5
20 changed files with 64 additions and 33 deletions
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@ -11,4 +11,6 @@
  owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
  owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw,

+  owner @{user_cache_dirs}/mesa_shader_cache/marker rw,
+
 # vim:syntax=apparmor
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -61,6 +61,11 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  @{run}/mount/utab r,

+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
  owner @{PROC}/@{pid}/mountinfo r,

  include if exists <local/xdg-desktop-portal-gtk>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -126,6 +126,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
    /usr/games/**                 PUx,

    /dev/tty rw,
+    /dev/tty@{int} rw,

    include if exists <usr/gnome-session-binary_open.d>
    include if exists <local/gnome-session-binary_open>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -339,6 +339,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -86,8 +86,8 @@ profile gnome-software @{exec_path} {
  owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
  owner @{user_share_dirs}/gnome-software/{,**} rw,

-  owner @{tmp}/ostree-gpg-*/ rw,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
  owner @{tmp}/#@{int} rw,

  owner @{run}/user/@{uid}/.dbus-proxy/ rw,
@ -125,8 +125,8 @@ profile gnome-software @{exec_path} {
    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

          @{tmp}/ r,
-    owner @{tmp}/ostree-gpg-*/ r,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ r,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    owner @{run}/user/@{uid}/gnupg/ w,

--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@ -39,6 +39,13 @@ profile dirmngr @{exec_path} {
  owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
  owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw,

+  # FIXME: Needed by dirmngr@.service
+  owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/S.dirmngr rw,
+  owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw,
+  owner /etc/pacman.d/gnupg/crls.d/ rw,
+  owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw,
+
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  include if exists <local/dirmngr>
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -60,10 +60,10 @@ profile gpg @{exec_path} {
  owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,

  #aa:exclude ubuntu
-  owner @{tmp}/ostree-gpg-*/ r,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ r,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

-  owner @{tmp}/tmp.[a-zA-Z0-9]* rw,
+  owner /tmp/@{int}@{int} rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -58,6 +58,13 @@ profile gpg-agent @{exec_path} {
  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,

+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
+  owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /etc/pacman.d/gnupg/sshcontrol r,
+
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
  owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
@ -70,17 +77,12 @@ profile gpg-agent @{exec_path} {
  owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner /var/lib/*/gnupg/sshcontrol r,

+  #aa:only zypper
  owner /var/tmp/zypp.*/ rw,
  owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/ rw,
  owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw,
  owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw,

-  owner @{tmp}/tmp.*/gnupg/ rw,
-  owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw,
-  owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
-  owner @{tmp}/tmp.*/gnupg/sshcontrol r,
-
  @{PROC}/@{pid}/fd/ r,

  # Silencer
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@ -71,7 +71,7 @@ profile DiscoverNotifier @{exec_path} {

          @{tmp}/ r,
    owner @{tmp}/ostree-gpg-@{rand6}/ r,
-    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    owner @{run}/user/@{uid}/gnupg/ w,

--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -86,8 +86,8 @@ profile plasma-discover @{exec_path} {
  owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int},
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/discover-@{rand6}/{,**} rw,
-  owner @{tmp}/ostree-gpg-*/ rw,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/ostree-gpg-@{rand6}/ rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/{,**} rw,
@ -108,8 +108,8 @@ profile plasma-discover @{exec_path} {

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

-    owner @{tmp}/ostree-gpg-*/ r,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ r,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    include if exists <local/plasma-discover_gpg>
  }
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -43,6 +43,8 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  owner /var/lib/systemd/network/ r,
+
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
@ -60,8 +62,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  @{sys}/devices/**/net/**/uevent r,

-        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/1/cgroup r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -48,6 +48,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/homed.conf r,
  /etc/skel/{,**} r,

+  /var/cache/systemd/home/{,**} rw,
  /var/lib/systemd/home/{,**} rw,

  / r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -53,6 +53,8 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/firmware/dmi/entries/*/raw r,

+  /dev/vsock r,
+
  include if exists <local/systemd-hostnamed>
 }

--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -52,6 +52,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {

  / r,

+  owner /var/lib/systemd/network/ r,
+
        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
        @{run}/systemd/notify rw,
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -29,6 +29,9 @@ profile aa-enforce @{exec_path} {
  owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
  owner /var/lib/snapd/apparmor/{,**} rw,

+  /tmp/@{rand8} rw,
+  /tmp/apparmor-bugreport-@{rand8}.txt rw,
+
  owner @{PROC}/@{pid}/fd r,

  include if exists <local/aa-enforce>
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -34,6 +34,7 @@ profile agetty @{exec_path} {
  /etc/os-release r,
  /usr/etc/login.defs r,

+        @{run}/credentials/serial-getty@ttyS@{int}.service/ r,
  owner @{run}/agetty.reload rw,

        /dev/tty@{int}   rw,
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain

        /tmp/#@{int} rw,
  owner /dev/shm/flatpak*/{,**} rw,
-  owner @{tmp}/ostree-gpg-*/{,**} rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw,

        @{run}/.userns r,
        @{run}/user/@{uid}/.dbus-proxy/ w,
@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

-    owner @{tmp}/ostree-gpg-*/ rw,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ rw,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    include if exists <local/flatpak_gpg>
  }
--- a/apparmor.d/profiles-a-f/flatpak-system-helper
+++ b/apparmor.d/profiles-a-f/flatpak-system-helper
@ -44,8 +44,8 @@ profile flatpak-system-helper @{exec_path} {
  /var/tmp/flatpak-cache-*/{,**} rw,

  owner /{var/,}tmp/#@{int} rw,
-  owner /{var/,}tmp/ostree-gpg-*/ rw,
-  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw,
+  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

        @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/fd/ r,
@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} {
    @{lib}/{,gnupg/}scdaemon rix,
    @{bin}/gpg-agent rix,

-    owner @{tmp}/ostree-gpg-*/ r,
-    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-@{rand6}/ r,
+    owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -43,16 +43,16 @@ profile spotify @{exec_path} {

  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,

-  @{sys}/bus/ r,
-  @{sys}/bus/*/devices/ r,
-
-  @{PROC}/pressure/* r,
+        @{PROC}/pressure/* r,
+  owner @{PROC}/@{pid}/clear_refs w,

  /dev/tty rw,

-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny @{sys}/bus/ r,
+  deny @{sys}/bus/*/devices/ r,
  deny @{sys}/class/*/ r,
-  deny owner @{PROC}/@{pid}/clear_refs w,
+  deny @{sys}/devices/@{pci}/usb@{int}/** r,
+  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <local/spotify>
 }
--- a/docs/install.md
+++ b/docs/install.md
@ -6,7 +6,7 @@ title: Installation

    To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page.

-    After installation, you need to regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).
+    After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).

 !!! danger