From d66a8fa082ecab35ae71a70dfb2b6ca58d9c69fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Feb 2023 17:42:05 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/chromium | 2 +- apparmor.d/abstractions/user-read | 2 + apparmor.d/abstractions/user-write.d/complete | 2 + apparmor.d/groups/gnome/gnome-terminal-server | 3 + apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/profiles-a-f/fsck | 3 +- apparmor.d/profiles-a-f/fsck-ext4 | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +- apparmor.d/profiles-g-l/groupadd | 6 +- apparmor.d/profiles-g-l/kmod | 6 +- apparmor.d/profiles-m-r/mandb | 4 +- apparmor.d/profiles-m-r/nft | 4 +- apparmor.d/profiles-m-r/ps | 57 +++++++------------ apparmor.d/profiles-s-z/useradd | 36 ++++-------- 14 files changed, 58 insertions(+), 73 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index d8710278..d16e9a8c 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -2,7 +2,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# For chromium based browser. If your application require chromium ro run +# For chromium based browser. If your application requires chromium to run # (like electron) use abstractions/chromium-common instead. # This abstraction requires the following variables definied in the profile header: diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 0cb72292..007ae62b 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -12,6 +12,7 @@ owner @{user_books_dirs}/{,**} r, owner @{user_documents_dirs}/{,**} r, + owner @{user_games_dirs}/{,**} r, owner @{user_music_dirs}/{,**} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_projects_dirs}/{,**} r, @@ -20,6 +21,7 @@ owner @{user_templates_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_videos_dirs}/{,**} r, + owner @{user_vm_dirs}/{,**} r, owner @{user_work_dirs}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 56106725..2bddfa7f 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -7,8 +7,10 @@ owner @{user_books_dirs}/{,**} rwl, owner @{user_documents_dirs}/{,**} rwl, + owner @{user_games_dirs}/{,**} rwl, owner @{user_music_dirs}/{,**} rwl, owner @{user_pictures_dirs}/{,**} rwl, owner @{user_projects_dirs}/{,**} rwl, owner @{user_videos_dirs}/{,**} rwl, + owner @{user_vm_dirs}/{,**} rwl, owner @{user_work_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 514480b5..2756fe36 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}bin/micro rPUx, /{usr/,}bin/nvtop rPx, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6f56dfb9..a8be8aca 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /etc/systemd/logind.conf r, /etc/systemd/sleep.conf r, + /etc/systemd/logind.conf.d/{,**} r, /swapfile r, /boot/{,**} r, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 45a4c76a..89a64ffa 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -19,7 +19,8 @@ profile fsck @{exec_path} { @{exec_path} mr, /{usr/,}{s,}bin/e2fsck rPx, - /{usr/,}{s,}bin/fsck.* rPx, + /{usr/,}sbin/fsck.* rPx, + /{usr/,}bin/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/fsck-ext4 b/apparmor.d/profiles-a-f/fsck-ext4 index aead4e49..8d552e0e 100644 --- a/apparmor.d/profiles-a-f/fsck-ext4 +++ b/apparmor.d/profiles-a-f/fsck-ext4 @@ -10,7 +10,7 @@ include profile fsck-ext4 @{exec_path} { include - @{exec_path} r, + @{exec_path} rm, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 2bfc5924..ec120d25 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.Properties - member=GetAll, + member={GetAll,SetHints,GetPlugins,GetRemotes} + peer=(name=:*, label=fwupdmgr), dbus bind bus=system name=org.freedesktop.fwupd, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 3b254c15..ab926783 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,10 +13,7 @@ profile groupadd @{exec_path} { include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, @@ -27,8 +25,8 @@ profile groupadd @{exec_path} { /etc/login.defs r, /etc/{group,gshadow} rw, - /etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}- w, + /etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}+ rw, /etc/group.lock wl -> /etc/group.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index d8d7d3d6..652101f8 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/false rix, /{usr/,}{s,}bin/sysctl rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/false rix, + /{usr/,}bin/id rix, /{usr/,}bin/true rix, /{usr/,}lib/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 764778e1..25a26502 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-203 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, + owner @{user_share_dirs}/man/** rwk, + include if exists } diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 047a0863..eccf630c 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,7 +12,6 @@ profile nft @{exec_path} { include include - # To be able to run the nft command. capability net_admin, network netlink raw, @@ -24,9 +24,9 @@ profile nft @{exec_path} { owner /etc/nftables/**.nft r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, include if exists } diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index 90ec3046..9233c5f5 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -1,66 +1,53 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# When any of the "*ns" parameters is used, the following error will be printed: -# "Failed name lookup - disconnected path" error=-13 profile="ps" name="". @{exec_path} = /{usr/,}bin/ps profile ps @{exec_path} flags=(attach_disconnected) { include include include - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, - capability sys_ptrace, ptrace (read), @{exec_path} mr, - # The "/proc/" dir is needed to avoid the following error: - # error: can not access /proc - # The "stat" file is needed to avoid the following error: - # Error, do this: mount -t proc proc /proc - # The "uptime" file is needed to avoid the following error: - # Error: /proc must be mounted - - @{PROC}/ r, - - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - - @{PROC}/@{pids}/wchan r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/loginuid r, - - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/vm/min_free_kbytes r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - @{run}/systemd/sessions/* r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/cpumap r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + @{PROC}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/wchan r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/vm/min_free_kbytes r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, # file_inherit - owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + owner /dev/tty[0-9]* rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 6c464b77..c01b5339 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,25 +13,12 @@ profile useradd @{exec_path} { include include - # To create a user home dir and give it proper permissions: - # mkdir("/home/user", 000) = 0 - # chown("/home/user", 0, 0) = 0 - # chmod("/home/user", 0755) = 0 - # chown("/home/user/", 1001, 1001) = 0 - # chmod("/home/user/", 0755) = 0 - capability chown, - capability fowner, - - # To set the set-group-ID bit for the user home dir. - capability fsetid, - - # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different - # owner. - capability dac_read_search, - capability dac_override, - - # To write records to the kernel auditing log. capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, network netlink raw, @@ -40,21 +28,20 @@ profile useradd @{exec_path} { /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, + /etc/default/useradd r, /etc/login.defs r, - /etc/default/useradd r, - /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, - /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, - /etc/passwd.lock wl -> /etc/passwd.@{pid}, - /etc/shadow.lock wl -> /etc/shadow.@{pid}, /etc/group.lock wl -> /etc/group.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, - /etc/subuid.lock wl -> /etc/subuid.@{pid}, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, /etc/subgid.lock wl -> /etc/subgid.@{pid}, + /etc/subuid.lock wl -> /etc/subuid.@{pid}, # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # modify the /etc/passwd or /etc/shadow password database. @@ -69,7 +56,6 @@ profile useradd @{exec_path} { /var/lib/*/{,*} rw, /etc/skel/{,.*} r, - profile pam_tally2 { include include