diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 14e3dfb7..385ded54 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -36,8 +36,6 @@ @{bin}/sudo mr, @{lib}/sudo/** mr, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/sudo.conf r, @{etc_ro}/sudoers r, @{etc_ro}/sudoers.d/{,*} r, @@ -53,8 +51,8 @@ owner @{HOME}/.sudo_as_admin_successful rw, # yubikey support - owner @{HOME}/.yubico/challenge-* rw, @{HOME}/.yubico/ r, + owner @{HOME}/.yubico/challenge-* rw, @{run}/faillock/ rw, @{run}/faillock/@{user} rwk, diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 38126c96..7857f992 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -8,9 +8,9 @@ include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{hex16}/bus/systemctl/, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index fca42427..b5b119d0 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -44,17 +44,16 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, @{att}/@{PROC}/sys/user/max_user_namespaces rw, owner @{att}/@{PROC}/@{pid}/cgroup r, + owner @{att}/@{PROC}/@{pid}/fd/ r, owner @{att}/@{PROC}/@{pid}/gid_map rw, owner @{att}/@{PROC}/@{pid}/mountinfo r, owner @{att}/@{PROC}/@{pid}/setgroups rw, owner @{att}/@{PROC}/@{pid}/uid_map rw, - @{PROC}/sys/kernel/overflowgid r, - @{PROC}/sys/kernel/overflowuid r, - owner @{PROC}/@{pid}/fd/ r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index a856cbd3..743dfaf2 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -67,7 +67,7 @@ # else if @{DE} == xfce - /usr/share/xfce4/ r, + /usr/share/xfce{,4}/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 143a6ea7..62e24b70 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -76,7 +76,7 @@ /dev/sr@{int} rk, # Lookup block device by major:minor numbers - # See: https://apparmor.pujol.io/development/structure/#udev-rules + # See: https://apparmor.pujol.io/development/internal/#udev-rules @{sys}/block/ r, @{sys}/class/block/ r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index de2adb33..1cf8869c 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -6,7 +6,7 @@ abi , @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, - @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, + @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 936504e7..3046c8f6 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -11,7 +11,7 @@ include include - /usr/share/xfce4/ r, + /usr/share/xfce{,4}/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index bda678f8..6ef4e44e 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -16,7 +16,7 @@ include profile dbus-system flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index e9bdfde1..17d26e3b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -65,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/@{tid}/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 0daa7789..d4fa3dc1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index a09f55c4..5e024adf 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -172,12 +172,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/faillock/@{user} rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, @{run}/sddm/#@{int} rw, @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, - @{run}/systemd/sessions/*.ref rw, @{run}/user/@{uid}/xauth_@{rand6} rwl, owner @{run}/sddm/ rw, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 55b5bda1..ee98720b 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -59,9 +59,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, /dev/net/tun rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 82f935dc..a7a7bf22 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -47,14 +47,15 @@ profile aurpublish @{exec_path} { /etc/makepkg.conf r, /etc/makepkg.conf.d/{,**} r, - owner @{user_build_dirs}/**/ w, + owner @{user_build_dirs}/{,**/} w, owner @{user_projects_dirs}/** r, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, - owner @{user_cache_dirs}/makepkg/src/* rw, + owner @{user_cache_dirs}/makepkg/src/** rw, owner @{user_config_dirs}/pacman/makepkg.conf r, + owner /tmp/*/src/ w, owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, @@ -64,14 +65,26 @@ profile aurpublish @{exec_path} { @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, + @{bin}/gpg-agent rix, + @{lib}/{,gnupg/}scdaemon rix, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{user_cache_dirs}/makepkg/src/*.asc r, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 7c1a7d4b..5bf6c433 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -26,8 +26,9 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, + @{run}/acpid.socket w, owner @{run}/acpid.socket rw, - owner @{run}/acpid.pid rw, + owner @{run}/acpid.pid rw, owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/loginuid r, diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index d23028a4..65f94463 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -12,9 +12,8 @@ profile dfc @{exec_path} { include include - capability dac_read_search, - # No visible effect - deny capability dac_override, + capability dac_override, + capability dac_read_search, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5e8a3ea0..ecf1d1c6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,6 +30,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index 42265208..b1c48540 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { /usr/share/com.github.johnfactotum.Foliate/{,**} r, owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, + owner /.flatpak-info r, owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 40dbda8c..6cee42be 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -66,11 +66,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, - /var/cache/fwupd/{,**} rw, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/fwupd/{,**} rw, - /var/lib/fwupd/pending.db rwk, - /var/tmp/etilqs_@{hex16} rw, + /etc/machine-id r, + /var/lib/dbus/machine-id r, /boot/{,**} r, /boot/EFI/*/.goutputstream-@{rand6} rw, @@ -78,8 +75,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /boot/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/tmp/etilqs_@{hex16} rw, + owner /var/cache/fwupd/ rw, + owner /var/cache/fwupd/** rwk, + owner /var/lib/fwupd/ rw, + owner /var/lib/fwupd/** rwk, # In order to get to this file, the attach_disconnected flag has to be set owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, @@ -88,8 +89,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/**/ r, @{sys}/devices/** r, - @{sys}/bus/hid/drivers/*/uevent r, - @{sys}/bus/usb/drivers/usbhid/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @@ -99,9 +98,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/module/*/uevent r, - @{sys}/module/uhid/uevent r, - @{sys}/module/usbhid/uevent r, + @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 3b02d97c..774dfa9f 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -50,6 +50,7 @@ profile mkinitramfs @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @@ -85,13 +86,15 @@ profile mkinitramfs @{exec_path} { owner /boot/initrd.img-*.new rw, /var/tmp/ r, - /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, - owner /var/tmp/mkinitramfs_*/ rw, - owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, - owner /var/tmp/mkinitramfs-* rw, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, @{sys}/devices/platform/ r, - @{sys}/devices/platform/reg-dummy/{,**}/ r, + @{sys}/devices/platform/**/ r, + @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{PROC}/cmdline r, @@ -126,18 +129,18 @@ profile mkinitramfs @{exec_path} { @{sh_path} rix, @{bin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r, - owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, include if exists } @@ -156,7 +159,7 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, - owner /var/tmp/mkinitramfs_*/{,**/} r, + owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists } @@ -165,11 +168,13 @@ profile mkinitramfs @{exec_path} { include include - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index a3c3f5a0..b4b63fe7 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -4,6 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only abi , + include @{name} = vesktop diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index b780eb8d..edce3184 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -12,35 +12,17 @@ profile vnstat @{exec_path} { include include - # The following rules are needed when adding a new interface to the vnstat database. Usually this - # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the - # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the - # dac_override CAP is needed to allow writing files in that dir. - # - # If this CAP was denied, then the following error is printed when adding new interfaces: - # - # Error: Exec step failed (8: attempt to write a readonly database): "insert into interface - # (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1, - # datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)" - # Error: Adding interface "ifb0" to database failed. - # - capability dac_override, - # - # Also the vnstat.db file has to have the write permission: - /var/lib/vnstat/vnstat.db w, - /var/lib/vnstat/vnstat.db-journal rw, - # - # This is needed to change the owner:group to vnstat:vnstat of the database file. capability chown, + capability dac_override, @{exec_path} mr, - # Many apps/users can query vnstat database, so don't use owner here. - /var/lib/vnstat/ r, - /var/lib/vnstat/vnstat.db rk, - /etc/vnstat.conf r, + /var/lib/vnstat/ r, + /var/lib/vnstat/vnstat.db rwk, + /var/lib/vnstat/vnstat.db-journal rw, + @{sys}/class/net/ r, @{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r,