From d864f5c97542952945357ae1915240e8a40f0d7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 12 Jul 2024 20:08:58 +0100 Subject: [PATCH] feat(profile): improve general integration See #407 --- apparmor.d/groups/freedesktop/xdg-user-dir | 5 +++-- apparmor.d/groups/freedesktop/xhost | 2 +- .../groups/systemd/systemd-generator-fstab | 1 + .../systemd/systemd-generator-user-autostart | 2 ++ apparmor.d/groups/systemd/systemd-machined | 3 +++ apparmor.d/profiles-a-f/dunst | 3 +++ apparmor.d/profiles-g-l/id | 2 +- apparmor.d/profiles-g-l/lspci | 1 + apparmor.d/profiles-m-r/nemo | 18 +++++++++++++++++- apparmor.d/profiles-m-r/pkexec | 11 ++++------- apparmor.d/profiles-m-r/run-parts | 13 ++++++++++--- apparmor.d/profiles-s-z/strawberry | 3 ++- apparmor.d/profiles-s-z/virt-manager | 4 ++++ dists/flags/main.flags | 1 + 14 files changed, 53 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index fa52d6f5..47184420 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -9,11 +9,12 @@ include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/env rix, + @{sh_path} rix, + @{bin}/env rix, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 467a92e0..26b1bc59 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xhost -profile xhost @{exec_path} { +profile xhost @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab index 075c5c6a..a1510030 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} { capability dac_override, capability dac_read_search, + capability mknod, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index 95dab202..8ca09d56 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} { @{exec_path} mr, + @{system_share_dirs}/applications/*.desktop r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 512fdde8..cb0eab79 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} { @{PROC}/pressure/io r, @{PROC}/pressure/memory r, + /dev/ptmx rw, + /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index 8fb89502..22065224 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -17,10 +17,13 @@ profile dunst @{exec_path} { @{exec_path} mr, /etc/xdg/dunst/dunstrc r, + owner @{user_config_dirs}/dunst/dunstrc r, owner @{HOME}/.Xauthority r, + owner /dev/shm/dunst-@{rand6} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 061313d4..6ba6001b 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/id -profile id @{exec_path} { +profile id @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 0d6936d2..656597c1 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, + @{PROC}/bus/pci/devices r, @{PROC}/cmdline r, @{PROC}/ioports r, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 4021836e..a5185441 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -11,15 +11,31 @@ include profile nemo @{exec_path} { include include + include include include + include network inet stream, network inet6 stream, @{exec_path} mr, -# @{lib}/@{multiarch}/nemo/** mrix, + /usr/share/nemo/** r, + + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rw, + + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 923d955a..49c762df 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -35,13 +35,10 @@ profile pkexec @{exec_path} { @{exec_path} mr, - # Apps to be run via pkexec - @{bin}/* rPUx, - @{lib}/{,gvfs/}gvfsd-admin rPx, - @{lib}/cc-remote-login-helper rPx, - @{lib}/update-notifier/package-system-locked rPx, - /usr/share/apport/apport-gtk rPx, - #aa:exec polkit-agent-helper + @{bin}/* PUx, + @{lib}/** PUx, + /opt/*/** PUx, + /usr/share/** PUx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 18c70b24..f166e0fd 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -14,7 +14,9 @@ profile run-parts @{exec_path} { include include - @{exec_path} mr, + capability mknod, + + @{exec_path} mrix, @{sh_path} rix, @{bin}/anacron rix, @@ -29,6 +31,7 @@ profile run-parts @{exec_path} { /etc/ r, /etc/anacrontab r, /etc/conf.d/snapper{,**} r, + /etc/default/* r, /etc/snapper/configs/root r, # Crontab @@ -134,10 +137,14 @@ profile run-parts @{exec_path} { /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /root/ r, + + /var/spool/anacron/cron.daily k, + owner @{tmp}/#@{int} rw, - owner @{tmp}/$anacron* rw, + owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - + owner @{sys}/class/power_supply/ r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index db48ee10..484a4069 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -8,10 +8,11 @@ abi , include @{exec_path} = @{bin}/strawberry -profile strawberry @{exec_path} flags=(attach_disconnected) { +profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9fa13e50..c1bd7fbd 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bff50ba9..06eae76b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -306,6 +306,7 @@ steam-launch attach_disconnected,complain steam-launcher attach_disconnected,complain steam-runtime attach_disconnected,complain steamerrorreporter attach_disconnected,complain +strawberry attach_disconnected,mediate_deleted,complain sulogin complain switcherooctl complain swtpm complain