feat(profiles): general update.

2025-01-18 00:48:10 +01:00 · 2023-02-19 17:42:05 +00:00 · 2023-02-19 17:42:05 +00:00 · d66a8fa082
commit d66a8fa082
parent 4fe03b7417
14 changed files with 58 additions and 73 deletions
--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@ -2,7 +2,7 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# For chromium based browser. If your application require chromium ro run
+# For chromium based browser. If your application requires chromium to run
 # (like electron) use abstractions/chromium-common instead.

 # This abstraction requires the following variables definied in the profile header:
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -12,6 +12,7 @@

  owner @{user_books_dirs}/{,**} r,
  owner @{user_documents_dirs}/{,**} r,
+  owner @{user_games_dirs}/{,**} r,
  owner @{user_music_dirs}/{,**} r,
  owner @{user_pictures_dirs}/{,**} r,
  owner @{user_projects_dirs}/{,**} r,
@ -20,6 +21,7 @@
  owner @{user_templates_dirs}/{,**} r,
  owner @{user_torrents_dirs}/{,**} r,
  owner @{user_videos_dirs}/{,**} r,
+  owner @{user_vm_dirs}/{,**} r,
  owner @{user_work_dirs}/{,**} r,

  include if exists <abstractions/user-read.d>
--- a/apparmor.d/abstractions/user-write.d/complete
+++ b/apparmor.d/abstractions/user-write.d/complete
@ -7,8 +7,10 @@

  owner @{user_books_dirs}/{,**} rwl,
  owner @{user_documents_dirs}/{,**} rwl,
+  owner @{user_games_dirs}/{,**} rwl,
  owner @{user_music_dirs}/{,**} rwl,
  owner @{user_pictures_dirs}/{,**} rwl,
  owner @{user_projects_dirs}/{,**} rwl,
  owner @{user_videos_dirs}/{,**} rwl,
+  owner @{user_vm_dirs}/{,**} rwl,
  owner @{user_work_dirs}/{,**} rwl,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} {
  /{usr/,}bin/micro               rPUx,
  /{usr/,}bin/nvtop                rPx,

+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
+
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icu/{,**} r,
  /usr/share/X11/xkb/{,**} r,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  /etc/machine-id r,
  /etc/systemd/logind.conf r,
  /etc/systemd/sleep.conf r,
+  /etc/systemd/logind.conf.d/{,**} r,

  /swapfile r,
  /boot/{,**} r,
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@ -19,7 +19,8 @@ profile fsck @{exec_path} {
  @{exec_path} mr,

  /{usr/,}{s,}bin/e2fsck rPx,
-  /{usr/,}{s,}bin/fsck.* rPx,
+  /{usr/,}sbin/fsck.* rPx,
+  /{usr/,}bin/fsck.* rPx,

  /etc/fstab r,

--- a/apparmor.d/profiles-a-f/fsck-ext4
+++ b/apparmor.d/profiles-a-f/fsck-ext4
@ -10,7 +10,7 @@ include <tunables/global>
 profile fsck-ext4 @{exec_path} {
  include <abstractions/base>

-  @{exec_path} r,
+  @{exec_path} rm,

  /{usr/,}bin/{,ba,da}sh rix,

--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {

  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member={GetAll,SetHints,GetPlugins,GetRemotes}
+       peer=(name=:*, label=fwupdmgr),

  dbus bind bus=system
       name=org.freedesktop.fwupd,
--- a/apparmor.d/profiles-g-l/groupadd
+++ b/apparmor.d/profiles-g-l/groupadd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -12,10 +13,7 @@ profile groupadd @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  # To write records to the kernel auditing log.
  capability audit_write,
-
-  # To set the right permission to the files in the /etc/ dir.
  capability chown,
  capability fsetid,

@ -27,8 +25,8 @@ profile groupadd @{exec_path} {
  /etc/login.defs r,

  /etc/{group,gshadow} rw,
-  /etc/{group,gshadow}.@{pid} w,
  /etc/{group,gshadow}- w,
+  /etc/{group,gshadow}.@{pid} w,
  /etc/{group,gshadow}+ rw,
  /etc/group.lock wl -> /etc/group.@{pid},
  /etc/gshadow.lock wl -> /etc/gshadow.@{pid},
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mrix,

-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/false       rix,
  /{usr/,}{s,}bin/sysctl  rPx,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/basename    rix,
+  /{usr/,}bin/false       rix,
+  /{usr/,}bin/id          rix,
  /{usr/,}bin/true        rix,

  /{usr/,}lib/modprobe.d/{,*.conf} r,
--- a/apparmor.d/profiles-m-r/mandb
+++ b/apparmor.d/profiles-m-r/mandb
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-203 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) {

  /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,

+  owner @{user_share_dirs}/man/** rwk,
+
  include if exists <local/mandb>
 }
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,7 +12,6 @@ profile nft @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  # To be able to run the nft command.
  capability net_admin,

  network netlink raw,
@ -24,9 +24,9 @@ profile nft @{exec_path} {

  owner /etc/nftables/**.nft r,

-  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,

  include if exists <local/nft>
 }
--- a/apparmor.d/profiles-m-r/ps
+++ b/apparmor.d/profiles-m-r/ps
@ -1,66 +1,53 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-# When any of the "*ns" parameters is used, the following error will be printed:
-#  "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
@{exec_path} = /{usr/,}bin/ps
 profile ps @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  # To be able to read the /proc/ files of all processes in the system.
  capability dac_read_search,
-
  capability sys_ptrace,

  ptrace (read),

  @{exec_path} mr,

-  # The "/proc/" dir is needed to avoid the following error:
-  #  error: can not access /proc
-  # The "stat" file is needed to avoid the following error:
-  #  Error, do this: mount -t proc proc /proc
-  # The "uptime" file is needed to avoid the following error:
-  #  Error: /proc must be mounted
-
-       @{PROC}/ r,
-
-       @{PROC}/@{pids}/stat r,
-       @{PROC}/@{pids}/cmdline r,
-       @{PROC}/@{pids}/environ r,
-       @{PROC}/@{pids}/task/ r,
-       @{PROC}/@{pids}/task/@{tid}/stat r,
-       @{PROC}/@{pids}/task/@{tid}/status r,
-       @{PROC}/@{pids}/task/@{tid}/cmdline r,
-
-       @{PROC}/@{pids}/wchan r,
-       @{PROC}/@{pids}/attr/current r,
-       @{PROC}/@{pids}/cgroup r,
-       @{PROC}/@{pids}/statm r,
-       @{PROC}/@{pids}/loginuid r,
-
-       @{PROC}/sys/kernel/osrelease r,
-       @{PROC}/sys/kernel/pid_max r,
-       @{PROC}/sys/vm/min_free_kbytes r,
-       @{PROC}/tty/drivers r,
-       @{PROC}/uptime r,
-
  @{run}/systemd/sessions/* r,

  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node[0-9]*/meminfo r,
  @{sys}/devices/system/node/node[0-9]*/cpumap r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+
+  @{PROC}/ r,
+  @{PROC}/@{pids}/attr/current r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/environ r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/statm r,
+  @{PROC}/@{pids}/task/ r,
+  @{PROC}/@{pids}/task/@{tid}/cmdline r,
+  @{PROC}/@{pids}/task/@{tid}/stat r,
+  @{PROC}/@{pids}/task/@{tid}/status r,
+  @{PROC}/@{pids}/wchan r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/sys/kernel/pid_max r,
+  @{PROC}/sys/vm/min_free_kbytes r,
+  @{PROC}/tty/drivers r,
+  @{PROC}/uptime r,

  # file_inherit
-  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
+  owner /dev/tty[0-9]* rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/profiles-s-z/useradd
+++ b/apparmor.d/profiles-s-z/useradd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -12,25 +13,12 @@ profile useradd @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  # To create a user home dir and give it proper permissions:
-  #  mkdir("/home/user", 000)      = 0
-  #  chown("/home/user", 0, 0)     = 0
-  #  chmod("/home/user", 0755)     = 0
-  #  chown("/home/user/", 1001, 1001) = 0
-  #  chmod("/home/user/", 0755)    = 0
-  capability chown,
-  capability fowner,
-
-  # To set the set-group-ID bit for the user home dir.
-  capability fsetid,
-
-  # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
-  # owner.
-  capability dac_read_search,
-  capability dac_override,
-
-  # To write records to the kernel auditing log.
  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,

  network netlink raw,

@ -40,21 +28,20 @@ profile useradd @{exec_path} {

  /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,

+  /etc/default/useradd r,
  /etc/login.defs r,

-  /etc/default/useradd r,
-
  /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
-  /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
  /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
+  /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
  /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,

-  /etc/passwd.lock  wl -> /etc/passwd.@{pid},
-  /etc/shadow.lock  wl -> /etc/shadow.@{pid},
  /etc/group.lock   wl -> /etc/group.@{pid},
  /etc/gshadow.lock wl -> /etc/gshadow.@{pid},
-  /etc/subuid.lock  wl -> /etc/subuid.@{pid},
+  /etc/passwd.lock  wl -> /etc/passwd.@{pid},
+  /etc/shadow.lock  wl -> /etc/shadow.@{pid},
  /etc/subgid.lock  wl -> /etc/subgid.@{pid},
+  /etc/subuid.lock  wl -> /etc/subuid.@{pid},

  # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
  # modify the /etc/passwd or /etc/shadow password database.
@ -69,7 +56,6 @@ profile useradd @{exec_path} {
  /var/lib/*/{,*} rw,
  /etc/skel/{,.*} r,

-
  profile pam_tally2 {
    include <abstractions/base>
    include <abstractions/consoles>