mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-19 17:42:05 +00:00
parent 4fe03b7417
commit d66a8fa082
Failed to generate hash of commit
14 changed files with 58 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/chromium
View file

@ -2,7 +2,7 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# For chromium based browser. If your application require chromium ro run # For chromium based browser. If your application requires chromium to run
# (like electron) use abstractions/chromium-common instead. # (like electron) use abstractions/chromium-common instead.
# This abstraction requires the following variables definied in the profile header: # This abstraction requires the following variables definied in the profile header:

2
apparmor.d/abstractions/user-read
View file

@ -12,6 +12,7 @@
owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{user_documents_dirs}/{,**} r, owner @{user_documents_dirs}/{,**} r,
owner @{user_games_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r, owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r, owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r, owner @{user_projects_dirs}/{,**} r,
@ -20,6 +21,7 @@
owner @{user_templates_dirs}/{,**} r, owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r, owner @{user_videos_dirs}/{,**} r,
owner @{user_vm_dirs}/{,**} r,
owner @{user_work_dirs}/{,**} r, owner @{user_work_dirs}/{,**} r,
include if exists <abstractions/user-read.d> include if exists <abstractions/user-read.d>

2
apparmor.d/abstractions/user-write.d/complete
View file

@ -7,8 +7,10 @@
owner @{user_books_dirs}/{,**} rwl, owner @{user_books_dirs}/{,**} rwl,
owner @{user_documents_dirs}/{,**} rwl, owner @{user_documents_dirs}/{,**} rwl,
owner @{user_games_dirs}/{,**} rwl,
owner @{user_music_dirs}/{,**} rwl, owner @{user_music_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl, owner @{user_pictures_dirs}/{,**} rwl,
owner @{user_projects_dirs}/{,**} rwl, owner @{user_projects_dirs}/{,**} rwl,
owner @{user_videos_dirs}/{,**} rwl, owner @{user_videos_dirs}/{,**} rwl,
owner @{user_vm_dirs}/{,**} rwl,
owner @{user_work_dirs}/{,**} rwl, owner @{user_work_dirs}/{,**} rwl,

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} {
/{usr/,}bin/micro rPUx, /{usr/,}bin/micro rPUx,
/{usr/,}bin/nvtop rPx, /{usr/,}bin/nvtop rPx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r, /usr/share/icu/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,

1
apparmor.d/groups/systemd/systemd-logind
View file

@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
/etc/machine-id r, /etc/machine-id r,
/etc/systemd/logind.conf r, /etc/systemd/logind.conf r,
/etc/systemd/sleep.conf r, /etc/systemd/sleep.conf r,
/etc/systemd/logind.conf.d/{,**} r,
/swapfile r, /swapfile r,
/boot/{,**} r, /boot/{,**} r,

3
apparmor.d/profiles-a-f/fsck
View file

@ -19,7 +19,8 @@ profile fsck @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/e2fsck rPx, /{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/fsck.* rPx, /{usr/,}sbin/fsck.* rPx,
/{usr/,}bin/fsck.* rPx,
/etc/fstab r, /etc/fstab r,

2
apparmor.d/profiles-a-f/fsck-ext4
View file

@ -10,7 +10,7 @@ include <tunables/global>
profile fsck-ext4 @{exec_path} { profile fsck-ext4 @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,

3
apparmor.d/profiles-a-f/fwupd
View file

@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr),
dbus bind bus=system dbus bind bus=system
name=org.freedesktop.fwupd, name=org.freedesktop.fwupd,

6
apparmor.d/profiles-g-l/groupadd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -12,10 +13,7 @@ profile groupadd @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write, capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown, capability chown,
capability fsetid, capability fsetid,
@ -27,8 +25,8 @@ profile groupadd @{exec_path} {
/etc/login.defs r, /etc/login.defs r,
/etc/{group,gshadow} rw, /etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w, /etc/{group,gshadow}- w,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}+ rw, /etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid}, /etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid},

6
apparmor.d/profiles-g-l/kmod
View file

@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/false rix,
/{usr/,}{s,}bin/sysctl rPx, /{usr/,}{s,}bin/sysctl rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/false rix,
/{usr/,}bin/id rix,
/{usr/,}bin/true rix, /{usr/,}bin/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r, /{usr/,}lib/modprobe.d/{,*.conf} r,

4
apparmor.d/profiles-m-r/mandb
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-203 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) {
/usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
owner @{user_share_dirs}/man/** rwk,
include if exists <local/mandb> include if exists <local/mandb>
} }

4
apparmor.d/profiles-m-r/nft
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,7 +12,6 @@ profile nft @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to run the nft command.
capability net_admin, capability net_admin,
network netlink raw, network netlink raw,
@ -24,9 +24,9 @@ profile nft @{exec_path} {
owner /etc/nftables/**.nft r, owner /etc/nftables/**.nft r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/nft> include if exists <local/nft>
} }

45
apparmor.d/profiles-m-r/ps
View file

@ -1,66 +1,53 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# When any of the "*ns" parameters is used, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
@{exec_path} = /{usr/,}bin/ps @{exec_path} = /{usr/,}bin/ps
profile ps @{exec_path} flags=(attach_disconnected) { profile ps @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search, capability dac_read_search,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace (read),
@{exec_path} mr, @{exec_path} mr,
# The "/proc/" dir is needed to avoid the following error: @{run}/systemd/sessions/* r,
# error: can not access /proc
# The "stat" file is needed to avoid the following error: @{sys}/devices/system/node/ r,
# Error, do this: mount -t proc proc /proc @{sys}/devices/system/node/node[0-9]*/cpumap r,
# The "uptime" file is needed to avoid the following error: @{sys}/devices/system/node/node[0-9]*/meminfo r,
# Error: /proc must be mounted
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/statm r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/wchan r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r, @{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r, @{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{run}/systemd/sessions/* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/node/node[0-9]*/cpumap r,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

36
apparmor.d/profiles-s-z/useradd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -12,25 +13,12 @@ profile useradd @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 000) = 0
# chown("/home/user", 0, 0) = 0
# chmod("/home/user", 0755) = 0
# chown("/home/user/", 1001, 1001) = 0
# chmod("/home/user/", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir.
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
# To write records to the kernel auditing log.
capability audit_write, capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
network netlink raw, network netlink raw,
@ -40,21 +28,20 @@ profile useradd @{exec_path} {
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r,
/etc/login.defs r, /etc/login.defs r,
/etc/default/useradd r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid}, /etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid}, /etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/subgid.lock wl -> /etc/subgid.@{pid}, /etc/subgid.lock wl -> /etc/subgid.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database. # modify the /etc/passwd or /etc/shadow password database.
@ -69,7 +56,6 @@ profile useradd @{exec_path} {
/var/lib/*/{,*} rw, /var/lib/*/{,*} rw,
/etc/skel/{,.*} r, /etc/skel/{,.*} r,
profile pam_tally2 { profile pam_tally2 {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>