From d6b7bef89ea833cc86835899699c68322d8098f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Oct 2024 14:19:26 +0100 Subject: [PATCH] feat(profile): enable abi 4 rules by default. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/bwrap | 2 +- apparmor.d/abstractions/common/chromium | 2 +- apparmor.d/abstractions/common/electron | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/systemd/systemd-coredump | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/ubuntu/package-system-locked | 2 +- apparmor.d/groups/virt/virtiofsd | 2 +- apparmor.d/profiles-a-f/flatpak | 2 +- apparmor.d/profiles-g-l/lvm | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0aa8f5ef..81d37113 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -43,7 +43,7 @@ include include - # userns, + userns, capability setgid, capability setuid, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 23a91593..c94ef847 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -30,7 +30,7 @@ include include - # userns, + userns, capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index a73626bb..711117f6 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -7,7 +7,7 @@ # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' - # userns, + userns, capability net_admin, capability setpcap, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 28effd76..cad07669 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -6,7 +6,7 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/chromium instead. - # userns, + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 9cf48071..da792131 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -18,7 +18,7 @@ include include - # userns, + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ccaf5d6f..e4990a3e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -26,7 +26,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include - # mqueue r type=posix /, + mqueue r type=posix /, #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 89e0dfea..a7bde918 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -28,7 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include - # userns, + userns, capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 8c90be6f..2e841dc5 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted include include - # userns, + userns, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f4628c01..53dd0acf 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,7 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, - # mqueue r type=posix /, + mqueue r type=posix /, unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index f4e04097..7398fc40 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - # mqueue r type=posix /, + mqueue r type=posix /, ptrace (read), diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 7389119b..905e2c17 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -10,7 +10,7 @@ include profile virtiofsd @{exec_path} { include - # userns, + userns, capability chown, capability dac_override, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 05873c4e..b38a0353 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -18,7 +18,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include - # userns, + userns, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index e579d7a9..cff4ce18 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -23,7 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), - # mqueue r type=posix /, + mqueue r type=posix /, @{exec_path} rm,