mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into thunderbird2

Browse source
This commit is contained in:
nobodysu 2022-08-12 14:35:53 +00:00 committed by GitHub
commit db8e881c06
Failed to generate hash of commit
467 changed files with 6300 additions and 2372 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitlab-ci.yml
View file

@ -50,7 +50,7 @@ tests:
archlinux:
stage: build
image: registry.gitlab.com/archlex/packages/builders/arch
image: registry.gitlab.com/archlex/packages/builders/archlinux
script:
- sudo pacman -Syu --noconfirm --noprogressbar lsb-release
- makepkg -s --noconfirm --noprogressbar

63
CONTRIBUTING.md
View file

@ -30,6 +30,17 @@ in this page all the useful information needed to contribute.
you'll see a Compare & pull request button, fill and submit the pull request.
## Projects rules
A few rules:
1. As these are mandatory access control policies only what it explicitly required
should be authorized. Meaning, you should not allow everything (or a large area)
and blacklist some sub area.
2. A profile **should not break a normal usage of the confined software**. It can
be complex as simply running the program for your own use case is not alway
exhaustive of the program features and required permissions.
## Add a profile
1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`.
@ -64,36 +75,65 @@ profile foo @{exec_path} {
## Profile Guidelines
In order to ensure a common structure across the profiles, all new profile should try to follow the guideline presented here.
> This profile guideline is still evloving, feel free to propose improvment
The rules in the profile should be sorted as follow:
In order to ensure a common structure across the profiles, all new profile should
try to follow the guideline presented here.
The rules in the profile should be sorted as follow:
- include
- capability
- network
- mount
- remount
- umount
- ptrace
- signal
- network
- mount
- unix
- dbus (send, receive) send receice
- @{exec_path} mr,
- The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
- The shared resources: `/usr/share`...
- The system configuration: `/etc`...
- The system data: `/var`...
- The user data: `owner @{HOME}/`...
- The user configuration (all dotfiles)
- The user configuration, cache and in general all dotfiles
- Temporary data: `/tmp/`, `@{run}/`...
- Sys files: `@{sys}/`...
- Proc files: `@{PROC}/`...
- Dev files: `/dev/`...
- Deny rules: `deny`...
- Local include
**Other rules**
* Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`.
* Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`.
* Always use the apparmor variables.
* In a rule block, the rule shall be alphabetically sorted.
* When some file access share similar purpose, they shall be sorted together. Eg:
```
/etc/machine-id r,
/var/lib/dbus/machine-id r,
```
* Subprofile should comes at the end of a profile.
* When some file access share similar purpose, they may be sorted together. Eg:
```
/etc/machine-id r,
/var/lib/dbus/machine-id r,
```
The included tool `aa-log` can be useful to explore the apparmor log
## Abstraction
This project and the apparmor profile official project provide a large selection
of abstraction to be included in profiles. They should be used.
For instance, instead of writting:
```sh
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
```
to allow download directory access, you should write
```sh
include <abstractions/user-download-strict>
```
## AppArmor variables
@ -119,10 +159,11 @@ The rules in the profile should be sorted as follow:
**Additional variables available with this project:**
* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
* Extended XDG user directories:
- Projects: `@{XDG_PROJECTS_DIR}="Projects"`
- Books: `@{XDG_BOOKS_DIR}="Books"`
- Wallpapers: `@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"`
- Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
- Sync: `@{XDG_SYNC_DIR}="Sync"`
- Vm: `@{XDG_VM_DIR}=".vm"`
- SSH: `@{XDG_SSH_DIR}=".ssh"`

19
README.md
View file

@ -11,7 +11,8 @@
## Description
A set of over 1000 AppArmor profiles which aims is to confine most of Linux base applications and processes.
A set of over 1200 AppArmor profiles which aims is to confine most of Linux base
applications and processes.
**Goals & Purpose**
- Support all distributions that support AppArmor:
@ -47,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
* An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be
installed.
* Go (build dependency only)
* rsync (build dependency only)
**Archlinux**
@ -58,17 +61,18 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/tunables/xdg-user-dirs
```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Debian**
Build using standard Debian package build tools:
```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync
dpkg-buildpackage -b -d --no-sign
sudo dpkg --install ../apparmor.d_*_all.deb
sudo dpkg -i ../apparmor.d_*_all.deb
```
> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install**
@ -131,7 +135,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
**AppArmor configuration**
As they are a lot of rules, it is recommended to enable caching AppArmor profiles.
In `/etc/apparmor/parser.conf`, uncomment `write-cache`.
In `/etc/apparmor/parser.conf`, uncomment `write-cache` and `Optimize=compress-fast`.
See [Speed up AppArmor Start] on the Arch Wiki for more information.
@ -176,9 +180,9 @@ AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa-
**System Recovery**
Issue in some core profiles like the systemd tools, or the desktop environment
Issue in some core profiles like the systemd suite, or the desktop environment
can fully break your system. This should not happen a lot, but if it does here
is the procces to recover your system on Archlinux:
is the process to recover your system on Archlinux:
1. Boot from a Archlinux live USB
1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/<your-disk-id> vg0`
1. Mount your root partition: `mount /dev/<your-plain-disk-id> /mnt`
@ -253,3 +257,4 @@ with this program; if not, write to the Free Software Foundation, Inc.,
[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/
[Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX

33
apparmor.d/abstractions/X-strict Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# The unix socket to use to connect to the display
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
/tmp/.X11-unix/* rw,
/tmp/.ICE-unix/* rw,
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,
# ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/@{uid}/ICEauthority r,
# Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/X11/Xauthority r,
owner @{run}/user/@{uid}/xauth_* r,
# Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
include if exists <abstractions/X-strict.d>

2
apparmor.d/abstractions/X.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Available Xsessions

13
apparmor.d/abstractions/app-launcher-root
View file

@ -1,13 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# Root app location
/ r,
/usr/ r,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/[a-z0-9]* rPUx,
/ r,
/usr/ r,
/{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/[a-z0-9]* rPUx,
/usr/local/{s,}bin/ r,
/usr/local/{s,}bin/[a-zA-Z0-9]* rPUx,
include if exists <abstractions/app-launcher-root.d>

13
apparmor.d/abstractions/app-launcher-user
View file

@ -1,14 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# User app location
/ r,
/usr/ r,
/{usr/,}bin/ r,
/{usr/,}bin/[a-zA-Z0-9]* rPUx,
/ r,
/usr/ r,
/{usr/,}bin/ r,
/{usr/,}bin/[a-zA-Z0-9]* rPUx,
/usr/local/bin/ r,
/usr/local/bin/[a-zA-Z0-9]* rPUx,
# Firefox
/{usr/,}lib/ r,

4
apparmor.d/abstractions/audio.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/share/sounds/ r,

11
apparmor.d/abstractions/base.d/complete
View file

@ -1,20 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/writable/localtime r,
/usr/share/locale/ r,
# Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,cont) peer=systemd,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
ptrace (readby) peer=systemd-coredump,

2
apparmor.d/abstractions/chromium-common
View file

@ -39,3 +39,5 @@
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
include if exists <abstractions/chromium-common.d>

11
apparmor.d/abstractions/dbus-session-strict.d/complete Normal file
View file

@ -0,0 +1,11 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,

15
apparmor.d/abstractions/dconf-write Normal file
View file

@ -0,0 +1,15 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Permissions for querying dconf settings with write access; use the dconf
# abstraction first, and dconf-write only for specific application's profile.
/etc/dconf/** r,
owner @{user_config_dirs}/dconf/user r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <abstractions/dconf-write.d>

56
apparmor.d/abstractions/disks-read
View file

@ -7,6 +7,8 @@
# The /sys/ entries probably should be tightened
/dev/ r,
/dev/block/ r,
/dev/disk/{,*/} r,
# Regular disk/partition devices
/dev/{s,v}d[a-z]* rk,
@ -35,14 +37,46 @@
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk,
/dev/mapper/{,*} r,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices
/dev/zd[0-9]* rk,
/dev/zvol/{,*/} r,
/dev/*pool/ r,
@{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# Armbian / DietPi
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r,
@{sys}/devices/virtual/block/ram[0-9]*/ r,
@{sys}/devices/virtual/block/ram[0-9]*/hidden r,
@{sys}/devices/virtual/block/ram[0-9]*/dev r,
@{sys}/devices/virtual/block/ram[0-9]*/size r,
@{sys}/devices/virtual/block/ram[0-9]*/ro r,
@{sys}/devices/virtual/block/ram[0-9]*/removable r,
@{sys}/devices/virtual/block/ram[0-9]*/holders/ r,
@{sys}/devices/virtual/block/ram[0-9]*/slaves/ r,
# investigate
# /dev/ram[0-9]* r,
# CD-ROM
/dev/sr[0-9]* rk,
@ -57,27 +91,15 @@
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b24[0-9]:[0-9]* r,
@{run}/udev/data/b25[0-4]:[0-9]* r,
@{run}/udev/data/b259:[0-9]* r,
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

29
apparmor.d/abstractions/disks-write
View file

@ -39,6 +39,11 @@
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices
/dev/zd[0-9]* rwk,
@{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rwk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@ -63,28 +68,16 @@
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b24[0-9]:[0-9]* r,
@{run}/udev/data/b25[0-4]:[0-9]* r,
@{run}/udev/data/b259:[0-9]* r,
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b2:[0-9]* r, # for /dev/fd*
@{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

4
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r,

8
apparmor.d/abstractions/ibus.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# abstract path in ibus < 1.5.22 uses /tmp
@ -16,3 +16,7 @@
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
unix (connect, send, receive, accept, bind, listen)
type=stream
addr="@/home/*/.cache/ibus/dbus-*",

6
apparmor.d/abstractions/libvirt-lxc
View file

@ -3,7 +3,9 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# allow receiving signals from libvirtd
include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd,
umount,
@ -119,4 +121,4 @@
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
include if exists <local/abstractions/libvirt-lxc>
include if exists <abstractions/libvirt-lxc.d>

9
apparmor.d/abstractions/libvirt-qemu
View file

@ -1,8 +1,12 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# required for reading disk images
capability dac_override,
capability dac_read_search,
@ -251,5 +255,4 @@
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/abstractions/libvirt-qemu>
include if exists <abstractions/libvirt-qemu.d>

2
apparmor.d/abstractions/lxc/start-container
View file

@ -11,7 +11,7 @@
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,

30
apparmor.d/abstractions/nameservice-strict
View file

@ -1,24 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
@{etc_ro}/default/nss r,
@{etc_ro}/gai.conf r,
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
@{etc_ro}/resolv.conf r,
@{etc_ro}/services r,
@{run}/systemd/resolve/stub-resolv.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/gai.conf r,
/etc/group r,
/etc/protocols r,
/etc/default/nss r,
/etc/services r,
# NSS records from systemd-userdbd.service
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nameservice-strict.d>

8
apparmor.d/abstractions/python.d/complete
View file

@ -1,11 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr,
owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r,

33
apparmor.d/abstractions/tor
View file

@ -1,33 +0,0 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
network tcp,
network udp,
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
/usr/bin/tor r,
/usr/sbin/tor r,
# Needed by obfs4proxy
/proc/sys/net/core/somaxconn r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/tor/* r,
/usr/share/tor/** r,
/usr/bin/obfsproxy PUx,
/usr/bin/obfs4proxy Pix,
include if exists <abstractions/tor.d>

11
apparmor.d/abstractions/user-download-strict
View file

@ -4,14 +4,11 @@
abi <abi/3.0>,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
owner @{user_download_dirs}/ r,
owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r,

31
apparmor.d/abstractions/user-read
View file

@ -2,20 +2,23 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
# Give read access on all defined user directories. It should only be used if
# access to ALL folders is required.
owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r,
owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
owner @{user_books_dirs}/{,**} r,
owner @{user_documents_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r,
owner @{user_publicshare_dirs}/{,**} r,
owner @{user_sync_dirs}/{,**} r,
owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r,
include if exists <abstractions/user-read.d>

19
apparmor.d/abstractions/user-write.d/complete
View file

@ -2,17 +2,12 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl,
owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
owner @{user_books_dirs}/{,**} rwl,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_music_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl,
owner @{user_projects_dirs}/{,**} rwl,
owner @{user_videos_dirs}/{,**} rwl,

4
apparmor.d/abstractions/wayland.d/complete
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

4
apparmor.d/groups/apps/android-studio
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = @{MOUNTS}/*/android-studio
@{AS_SDKDIR} = @{MOUNTS}/*/SDK
@{AS_LIBDIR} = @{MOUNTS}/android-studio
@{AS_SDKDIR} = @{MOUNTS}/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

11
apparmor.d/groups/apps/atom
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -86,18 +87,14 @@ profile atom @{exec_path} {
# Git dirs
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/atom/ r,
owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
owner @{MOUNTS}/ r,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
owner @{user_config_dirs}/git/config r,
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or atom gets crash with the following error:

8
apparmor.d/groups/apps/calibre
View file

@ -75,12 +75,8 @@ profile calibre @{exec_path} {
/usr/share/calibre/{,**} r,
owner @{HOME}/@{XDG_BOOKS_DIR} rw,
owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
owner @{user_books_dirs} rw,
owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,
owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk,

12
apparmor.d/groups/apps/code
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -63,18 +64,11 @@ profile code @{exec_path} {
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs
/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/code/ r,
owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
owner @{user_projects_dirs}/ r,
owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or code gets crash with the following error:

4
apparmor.d/groups/apps/filezilla
View file

@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
/{usr/,}lib/firefox/firefox rPUx,
# FTP share folder
owner @{MOUNTS}/*/ftp/ r,
owner @{MOUNTS}/*/ftp/** rw,
owner @{MOUNTS}/ftp/ r,
owner @{MOUNTS}/ftp/** rw,
# Silencer
/ r,

5
apparmor.d/groups/apps/freetube
View file

@ -15,6 +15,7 @@ include <tunables/global>
profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs} r,

5
apparmor.d/groups/apps/telegram-desktop
View file

@ -12,6 +12,7 @@ include <tunables/global>
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Needed when saving files as, or otherwise the app crashes
/usr/share/glib-2.0/schemas/gschemas.compiled r,

1
apparmor.d/groups/apps/thunderbird
View file

@ -17,6 +17,7 @@ include <tunables/global>
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/wayland>
include <abstractions/nvidia>

163
apparmor.d/groups/apt/apt
View file

@ -1,19 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get
@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd
profile apt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/dbus-strict>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/openssl>
include <abstractions/python>
capability chown,
capability dac_override,
@ -24,15 +27,46 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability net_admin,
capability setgid,
capability setuid,
capability sys_nice,
signal (send) peer=apt-methods-*,
unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.{DBus.Introspectable,PackageKit}
member={StateHasChanged,Introspect}
peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit
peer=(name=org.freedesktop.login[0-9]),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus{,.Introspectable}
member={RequestName,GetConnectionUnixProcessID,Introspect}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority}
member={CheckAuthorization,Introspect},
dbus bind bus=system
name= org.debian.apt,
@{exec_path} mr,
/{usr/,}{s,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@ -45,81 +79,95 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}bin/df rPx,
/{usr/,}bin/dmesg rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For building the source after the download process is finished (apt-get source --compile)
/{usr/,}bin/dpkg-buildpackage rPUx,
/{usr/,}bin/dpkg-buildpackage rPUx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
# Ubuntu specificities
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
# For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager,
/{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/usr/share/xml/iso-codes/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/apt/sources.list rwk,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/lib/dbus/machine-id r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/log/apt/{,**} rw,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/tmp/ r,
/tmp/apt-changelog-*/ w,
/tmp/apt-changelog-*/*.changelog w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/dev/ptmx rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
profile editor flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.selected_editor r,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
}
@ -129,40 +177,37 @@ profile apt @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/less rix,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/less rix,
/root/ r, # For shell pwd
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/xz rix,
/etc/dpkg/origins/debian r,

13
apparmor.d/groups/apt/apt-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,23 +10,23 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-cache>
}

16
apparmor.d/groups/apt/apt-cdrom
View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
capability dac_read_search,
@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
/etc/fstab r,
# Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) {
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms
/media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r,
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
@{MOUNTS}/*/*/ r,
@{MOUNTS}/*/*/**/ r,
@{MOUNTS}/*/*/.disk/info r,
@{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,
@{MOUNTS}/ r,
@{MOUNTS}/**/ r,
@{MOUNTS}/.disk/info r,
@{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
@{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,

7
apparmor.d/groups/apt/apt-config
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,13 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner /tmp/tmp*/apt.conf r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config>

13
apparmor.d/groups/apt/apt-extracttemplates
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} {
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
owner /tmp/*.{config,template}.?????? rw,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-extracttemplates>
}

7
apparmor.d/groups/apt/apt-file
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -25,13 +26,13 @@ profile apt-file @{exec_path} {
/etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-file>
}

18
apparmor.d/groups/apt/apt-forktracer
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,8 +10,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer
profile apt-forktracer @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} mr,
@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} {
/{usr/,}bin/apt-cache rPx,
/usr/share/apt-forktracer/{,**} r,
/usr/share/distro-info/debian.csv r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/*_InRelease r,
/var/cache/apt/pkgcache.bin{,.*} rw,
/usr/share/distro-info/debian.csv r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/dpkg/origins/debian r,
/etc/debian_version r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-forktracer>
}

43
apparmor.d/groups/apt/apt-key
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,21 +15,21 @@ profile apt-key @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
@ -73,6 +74,11 @@ profile apt-key @{exec_path} {
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw,
@ -86,18 +92,13 @@ profile apt-key @{exec_path} {
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
}
include if exists <local/apt-key>

8
apparmor.d/groups/apt/apt-methods-http
View file

@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
network inet dgram,
network inet6 dgram,

2
apparmor.d/groups/apt/dpkg-divert
View file

@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
/var/lib/dpkg/** r,
/usr/share/*/**.dpkg-divert.tmp w,
/usr/share/*/** w,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,

8
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -35,6 +36,9 @@ profile dpkg-preconfigure @{exec_path} {
owner /tmp/*.config.* rwPUx,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
@{run}/user/@{uid}/pk-debconf-socket rw,
# The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
include <abstractions/gtk>
@ -44,9 +48,7 @@ profile dpkg-preconfigure @{exec_path} {
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/dpkg-preconfigure>

1
apparmor.d/groups/apt/dpkg-query
View file

@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} {
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/dev/tty[0-9]* rw,
include if exists <local/dpkg-query>
}

5
apparmor.d/groups/apt/reportbug
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug
profile reportbug @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/wayland>
include <abstractions/consoles>
include <abstractions/fonts>
@ -63,10 +64,6 @@ profile reportbug @{exec_path} {
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/gpg rCx -> gpg,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# For sending additional information
/etc/** r,

51
apparmor.d/groups/apt/unattended-upgrade
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,10 +10,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/consoles>
capability chown,
capability dac_override,
@ -26,41 +29,64 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
network netlink raw,
signal (send) peer=apt-methods-http,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.PackageKit
member=StateHasChanged,
dbus send bus=system path=/org/freedesktop/PackageKit
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=StateChanged,
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uname rix,
/{usr/,}{s,}bin/dpkg-preconfigure rPx,
/{usr/,}{s,}bin/on_ac_power rPx,
/{usr/,}{s,}bin/sendmail rPUx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/apt/methods/http{,s} rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/usr/share/distro-info/* r,
/usr/share/dpkg/*table r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/apt/preferences.d/{,**} r,
/etc/apt/sources.list.d/{,**} r,
/etc/machine-id r,
/var/log/unattended-upgrades/*.log rw,
/var/lib/apt/extended_states r,
/var/lib/apt/lists/{,**} r,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/status r,
/var/lib/dpkg/updates/ r,
/var/cache/apt/{,**} rwk,
@ -74,9 +100,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/resolvconf/resolv.conf r,
owner /tmp/#[0-9]* rw,
owner /tmp/apt-dpkg-install-*/{,*} rw,
owner @{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
/dev/ptmx rw,
include if exists <local/unattended-upgrade>
}

20
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -9,11 +9,31 @@ include <tunables/global>
@{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown
profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/python>
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.{Introspectable,Properties}
member={Introspect,Get},
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=PrepareForShutdown,
@{exec_path} mr,
/{usr/,}bin/ischroot rix,
/usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r,

43
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View file

@ -1,43 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Felix Geyer <debfx@ubuntu.com>
# SPDX-License-Identifier: GPL-2.0-only
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
include if exists <local/usr.sbin.apt-cacher-ng>
}

5
apparmor.d/groups/browsers/brave
View file

@ -14,6 +14,7 @@ include <tunables/global>
profile brave @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -105,10 +106,6 @@ profile brave @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or Brave crash with the following error:

5
apparmor.d/groups/browsers/chrome-gnome-shell
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/chrome-gnome-shell
profile chrome-gnome-shell @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{PROC}/@{pid}/mounts r,
deny @{HOME}/.* r,

6
apparmor.d/groups/browsers/chromium-chromium
View file

@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/chromium-common>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
@ -106,9 +107,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/** rwk,
owner /tmp/scoped_dir*/{,**} rw,

5
apparmor.d/groups/browsers/firefox
View file

@ -15,7 +15,7 @@ include <tunables/global>
profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,

5
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/crashreporter
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/tmp/ r,
/var/tmp/ r,
owner /tmp/[0-9a-f]*.{dmp,extra} rw,

5
apparmor.d/groups/browsers/opera
View file

@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
profile opera @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
@ -83,10 +84,6 @@ profile opera @{exec_path} {
/etc/fstab r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or opera crashes with the following error:

22
apparmor.d/groups/bus/dbus-daemon
View file

@ -11,6 +11,9 @@ include <tunables/global>
profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice-strict>
capability audit_write,
@ -34,14 +37,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx,
@{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
# Xubuntu
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/etc/dbus-1/{,**} r,
/etc/machine-id r,
/usr/share/dbus-1/{,**} r,
/usr/share/defaults/**.conf r,
@ -63,13 +70,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
owner /tmp/dbus-[0-9a-zA-Z]* rw,
owner @{run}/user/@{uid}/bus w,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/[0-9]*.ref rw,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
@{sys}/kernel/security/apparmor/.access rw,
@ -77,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/oom_score_adj rw,
@{PROC}/@{pids}/cmdline r,

8
apparmor.d/groups/bus/dbus-daemon-launch-helper
View file

@ -18,10 +18,16 @@ profile dbus-daemon-launch-helper @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
/{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
/{usr/,}lib/software-properties/software-properties-dbus rPx,
/usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
/usr/share/dbus-1/{,**} r,
/etc/dbus-1/{,**} r,
owner @{PROC}/@{pid}/oom_score_adj rw,
include if exists <local/dbus-daemon-launch-helper>

4
apparmor.d/groups/bus/dbus-run-session
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session
profile dbus-run-session @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
signal (receive) set=(term, kill, hup) peer=gdm*,
signal (send) set=term peer=dbus-daemon,
@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.cache/dconf/ rw,

3
apparmor.d/groups/bus/ibus-daemon
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/ibus-daemon
profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
signal (receive) set=(usr1) peer=gnome-shell,
@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/{,**} rw,
owner @{user_cache_dirs}/ibus/{,**} rw,
/var/lib/gdm{3,}/.config/ibus/{,**} rw,
/var/lib/gdm{3,}/.cache/ibus/{,**} rw,

4
apparmor.d/groups/bus/ibus-dconf
View file

@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-dconf
profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon,
@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw,
/var/lib/gdm/.config/dconf/user rw,

3
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-engine-simple
profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/ibus>
signal (receive) set=term peer=ibus-daemon,
@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,

13
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
signal (receive) set=term peer=ibus-daemon,
@ -32,17 +34,10 @@ profile ibus-extension-gtk3 @{exec_path} {
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/var/lib/gdm/.config/dconf/user r,
include if exists <local/ibus-extension-gtk3>

5
apparmor.d/groups/bus/ibus-memconf
View file

@ -9,14 +9,15 @@ include <tunables/global>
@{exec_path} = @{libexec}/ibus-memconf
profile ibus-memconf @{exec_path} {
include <abstractions/base>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
include if exists <local/ibus-memconf>
}

4
apparmor.d/groups/bus/ibus-portal
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-portal
profile ibus-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/ibus>
signal (receive) set=(term, hup) peer=gdm*,
@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/ r,
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw,
/dev/null rw,

7
apparmor.d/groups/bus/ibus-x11
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-x11
profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
@ -18,14 +19,14 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
include <abstractions/opencl>
unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
@{exec_path} mr,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
/var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

97
apparmor.d/groups/cron/cron
View file

@ -7,17 +7,18 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/cron
@{exec_path} = /{usr/,}{s,}bin/cron
profile cron @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/app-launcher-root>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability setuid,
capability setgid,
capability dac_read_search,
capability audit_write,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_resource,
network netlink raw,
@ -26,36 +27,21 @@ profile cron @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/run-parts rPx,
/etc/crontab r,
# All stuff that is executed via the /etc/cron.d/ dir
/etc/cron.d/{,*} r,
/{usr/,}sbin/cron-apt rPx,
/{usr/,}bin/debsecan rPx,
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
/{usr/,}sbin/e2scrub_all rPUx,
/etc/cron.daily/popularity-contest rPx,
/{usr/,}lib/sysstat/debian-sa1 rPUx,
/{usr/,}{s,}bin/sendmail rPUx,
# All stuff that is executed via the user crontab files
/{usr/,}bin/apt-file rPx,
/{usr/,}bin/apt-key rPx,
/{usr/,}bin/rsync rPUx,
/usr/share/rsync/scripts/rrsync rPUx,
/{usr/,}bin/gpg rPx,
/{usr/,}sbin/update-pciids rPx,
/{usr/,}bin/borg rPx,
/usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY
# Cron scripts in the /etc/cron.*/ dir to execute
/{usr/,}bin/run-parts rCx -> run-parts,
# Send results using email
/{usr/,}sbin/exim4 rPx,
/etc/cron.d/{,*} r,
/etc/crontab r,
/etc/default/locale r,
/etc/environment r,
/etc/security/limits.d/{,**} r,
/var/spool/cron/crontabs/{,*} r,
@ -66,56 +52,7 @@ profile cron @{exec_path} {
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw,
/etc/environment r,
/etc/default/locale r,
@{PROC}/1/limits r,
/etc/security/limits.d/ r,
profile run-parts {
include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/cron.{hourly,daily,weekly,monthly}/ r,
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx,
/etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/debtags rPx,
/etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx,
/etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/plocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx,
/etc/cron.{hourly,daily,weekly,monthly}/debsums rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/man-db rPx,
/etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx,
/etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx,
/etc/cron.{hourly,daily,weekly,monthly}/tor rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx,
/etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx,
#/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx,
#/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx,
#/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
#/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx,
#/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
include if exists <local/cron_run-parts>
}
@{PROC}/1/limits r,
include if exists <local/cron>
}

19
apparmor.d/groups/cron/cron-anacron Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron
profile cron-anacron @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/anacron rPx,
include if exists <local/cron-anacron>
}

24
apparmor.d/groups/cron/cron-apport Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport
profile cron-apport @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
/ r,
/var/crash/ r,
/var/crash/*.crash w,
include if exists <local/cron-apport>
}

0
apparmor.d/groups/apt/cron-apt → apparmor.d/groups/cron/cron-apt
View file

0
apparmor.d/groups/apt/cron-apt-compat → apparmor.d/groups/cron/cron-apt-compat
View file

0
apparmor.d/groups/apt/cron-apt-listbugs → apparmor.d/groups/cron/cron-apt-listbugs
View file

0
apparmor.d/groups/apt/cron-apt-show-versions → apparmor.d/groups/cron/cron-apt-show-versions
View file

0
apparmor.d/groups/apt/cron-apt-xapian-index → apparmor.d/groups/cron/cron-apt-xapian-index
View file

0
apparmor.d/groups/apt/cron-aptitude → apparmor.d/groups/cron/cron-aptitude
View file

0
apparmor.d/groups/apt/cron-debsums → apparmor.d/groups/cron/cron-debsums
View file

0
apparmor.d/groups/apt/cron-debtags → apparmor.d/groups/cron/cron-debtags
View file

0
apparmor.d/groups/apt/cron-popularity-contest → apparmor.d/groups/cron/cron-popularity-contest
View file

35
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -9,25 +9,50 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon
profile accounts-daemon @{exec_path} {
profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
ptrace (read) peer=unconfined,
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member={CheckAuthorization,Changed},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus bind bus=system
name=org.freedesktop.Accounts,
@{exec_path} mr,
/usr/share/language-tools/language-validate rPx,
/usr/share/accountsservice/{,**} r,
/usr/share/dbus-1/interfaces/*.xml r,
/etc/gdm/ r,
/etc/gdm/custom.conf rw,
/etc/gdm/custom.conf.* rw,
/etc/default/locale r,
/etc/gdm{3,}/ r,
/etc/gdm{3,}/custom.conf rw,
/etc/gdm{3,}/custom.conf.* rw,
/etc/machine-id r,
/etc/shadow r,
/etc/shells r,
@ -35,6 +60,8 @@ profile accounts-daemon @{exec_path} {
owner /var/lib/AccountsService/ r,
owner /var/lib/AccountsService/** rw,
@{HOME}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,

9
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -11,11 +11,13 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict>
signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*,
signal (receive) set=(term hup kill) peer=gnome-session-binary,
signal (send) set=(term hup kill) peer=dbus-daemon,
network inet stream,
@ -33,11 +35,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/at-spi/{,bus} rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r,
/var/lib/gdm/.config/dconf/user r,

12
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,21 +11,20 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi2-registryd
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr,
owner @{HOME}/.Xauthority r,
/var/lib/lightdm/.Xauthority r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/gdm/Xauthority r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
include if exists <local/at-spi2-registryd>

25
apparmor.d/groups/freedesktop/colord
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,11 +11,30 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord
profile colord @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.{DBus.Properties,ColorManager*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus bind bus=system
name=org.freedesktop.ColorManager,
@{exec_path} mr,
/{usr/,}lib/colord/colord-sane rPx,
@ -37,7 +56,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/icc/edid-*.icc r,
@{run}/systemd/sessions/[0-9]* r,
@{run}/systemd/sessions/* r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,

27
apparmor.d/groups/freedesktop/colord-sane
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -8,25 +9,41 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-sane
@{exec_path} += @{libexec}/colord-sane
profile colord-sane @{exec_path} flags=(complain) {
profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
network inet dgram,
network inet6 dgram,
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.{DBus.Properties,ColorManager},
dbus send bus=system path=/
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow},
@{exec_path} mr,
/etc/sane.d/{,**} r,
/usr/share/snmp/mibs/{,*} r,
/etc/sane.d/{,**} r,
/etc/snmp/snmp.conf r,
/var/lib/snmp/{mib,cert}_indexes/ rw,
/var/lib/snmp/mibs/{iana,ietf}/ r,
/var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
/var/lib/snmp/{mib,cert}_indexes/ rw,
/usr/share/snmp/mibs/{,*} r,
@{run}/systemd/journal/socket rw,
@{sys}/bus/scsi/devices/ r,
@{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
@{PROC}/sys/dev/parport/ r,

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session
@{exec_path} = /{usr/,}lib/colord/colord-session
@{exec_path} += @{libexec}/colord-session
profile colord-session @{exec_path} flags=(complain) {
include <abstractions/base>

5
apparmor.d/groups/freedesktop/dconf
View file

@ -9,17 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
profile dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf-write>
capability sys_nice,
@{exec_path} mr,
/etc/dconf/{,**} r,
/etc/dconf/db/** rw,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/dconf-editor
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,16 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
profile dconf-editor @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/dconf>
include <abstractions/gtk>
@{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/{,*} r,
# When GSETTINGS_BACKEND=keyfile
owner @{user_config_dirs}/glib-2.0/ rw,
@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} {
owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
/usr/share/glib-2.0/schemas/{,*} r,
owner @{HOME}/.Xauthority r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/dconf-editor>

8
apparmor.d/groups/freedesktop/dconf-service
View file

@ -9,18 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
profile dconf-service @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
# Needed?
deny capability sys_nice,
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
signal (receive) set=(term kill hup) peer=dbus-daemon,
signal (receive) set=(term hup) peer=gdm*,
@{exec_path} mr,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

16
apparmor.d/groups/freedesktop/desktop-file-install Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/desktop-file-install
profile desktop-file-install @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/desktop-file-install>
}

52
apparmor.d/groups/freedesktop/geoclue
View file

@ -7,15 +7,65 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/geoclue
profile geoclue @{exec_path} {
profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager}
interface=org.freedesktop.{DBus.Properties,GeoClue2*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged,PropertiesChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus bind bus=system
name=org.freedesktop.GeoClue2,
@{exec_path} mr,
/etc/geoclue/{,**} r,
@{run}/systemd/journal/socket rw,
@{PROC}/@{pids}/cgroup r,
include if exists <local/geoclue>

14
apparmor.d/groups/freedesktop/pipewire
View file

@ -11,12 +11,26 @@ include <tunables/global>
profile pipewire @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
ptrace (read),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit[0-9]
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit[0-9]),
@{exec_path} mr,
/{usr/,}bin/pipewire-media-session rPx,
/usr/share/pipewire/pipewire.conf r,
/etc/machine-id r,

11
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile pipewire-media-session @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
@ -19,6 +20,16 @@ profile pipewire-media-session @{exec_path} {
network bluetooth stream,
network netlink raw,
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit1),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit1
member=MakeThreadRealtime
peer=(name=org.freedesktop.RealtimeKit1),
@{exec_path} mr,
/usr/share/alsa-card-profile/{,**} r,

2
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} {
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/etc/plymouth/{,*} r,
include if exists <local/plymouth-set-default-theme>
}

51
apparmor.d/groups/freedesktop/plymouthd Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/plymouthd
profile plymouthd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-common>
capability sys_admin,
capability sys_tty_config,
network netlink raw,
signal (send) peer=unconfined,
unix type=stream addr="@/org/freedesktop/plymouthd",
unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
@{exec_path} mr,
/usr/share/plymouth/{,**} r,
/etc/default/keyboard r,
/etc/plymouth/plymouthd.conf r,
/etc/vconsole.conf r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:* r,
@{run}/udev/data/c29:* r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/graphics/ r,
@{sys}/devices/pci[0-9]*/**/{,uevent} r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/acpi/bgrt/{,*} r,
@{PROC}/cmdline r,
/dev/ptmx rw,
/dev/tty[0-9]* rw,
include if exists <local/plymouthd>
}

10
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
profile polkit-agent-helper @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
@ -28,6 +29,14 @@ profile polkit-agent-helper @{exec_path} {
signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=AuthenticationAgentResponse2,
@{exec_path} mr,
# file_inherit
@ -35,7 +44,6 @@ profile polkit-agent-helper @{exec_path} {
owner @{HOME}/.xsession-errors w,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
include if exists <local/polkit-agent-helper>
}

32
apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,14 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
profile polkit-mate-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
signal (send) set=(term, kill) peer=polkit-agent-helper,
@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} {
/{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/.Xauthority r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r,
# file_inherit
owner /dev/tty[0-9]* rw,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/polkit-mate-authentication-agent>
}

35
apparmor.d/groups/freedesktop/polkitd
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,24 +11,28 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkitd
profile polkitd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability setuid,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
audit deny capability net_admin,
audit capability net_admin,
ptrace (read),
@{exec_path} mr,
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
dbus bind bus=system
name=org.freedesktop.PolicyKit[0-9],
@{exec_path} mr,
/etc/machine-id r,
@ -52,7 +56,14 @@ profile polkitd @{exec_path} {
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
# Silencer
deny /.cache/ rw,

148
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,9 +15,13 @@ profile pulseaudio @{exec_path} {
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/gstreamer>
include <abstractions/hosts_access>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
ptrace (trace) peer=@{profile_name},
@ -29,65 +34,20 @@ profile pulseaudio @{exec_path} {
network bluetooth stream,
network bluetooth seqpacket,
@{exec_path} mrix,
dbus (send)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
/{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
dbus (receive)
bus=session
path=/Client0/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member=StateChanged
peer=(name=org.freedesktop.Avahi),
# PulseAudio files
/usr/share/pulseaudio/{,**} r,
/{usr/,}lib/pulse-*/modules/*.so mr,
# PulseAudio home config files
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
# Needed when PulseAudio is started via the start-pulseaudio-x11 script
owner @{HOME}/.Xauthority r,
# Needed when PulseAudio is started via gdm
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
owner @{HOME}/.ICEauthority r,
# TCP wrap
/etc/hosts.{allow,deny} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]/meminfo r,
deny @{sys}/module/apparmor/parameters/enabled r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/ICEauthority r,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# DBus
dbus (send)
bus=session
path=/org/freedesktop/DBus
@ -138,15 +98,47 @@ profile pulseaudio @{exec_path} {
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=org.bluez),
dbus (send)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
owner @{run}/user/@{uid}/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
#owner /tmp/orcexec.* mrw,
dbus (receive)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus (send)
bus=system
path=/
interface=org.freedesktop.hostname[0-9]
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
/{usr/,}lib/pulse-*/modules/*.so mr,
/usr/share/applications/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/pulseaudio/{,**} r,
/usr/share/ubuntu/applications/{,*} r,
/var/lib/snapd/desktop/applications/ r,
# For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
@ -164,13 +156,33 @@ profile pulseaudio @{exec_path} {
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
owner @{user_config_dirs}/pulse/{,**} rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/pulse/{,*} rw,
owner @{run}/user/@{uid}/pulse/*.lock k,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/systemd/users/@{uid} r,
@{run}/udev/data/+sound* r,
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/{uevent,pcm_class} r,
@{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
deny @{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/cmdline r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
# Snap
/var/lib/snapd/desktop/applications/ r,
/usr/{local/,}share/ubuntu/applications/{,*} r,
include if exists <local/pulseaudio>
}

13
apparmor.d/groups/freedesktop/update-desktop-database
View file

@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
/usr/share/*/*.desktop r,
/var/lib/flatpak/exports/share/applications/{,**/} r,
/var/lib/flatpak/exports/share/applications/**.desktop r,
/var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
/var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
/var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
/var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
/var/lib/flatpak/app/**/export/share/applications/**.desktop r,
/var/lib/snapd/desktop/applications/{,**/} r,
/var/lib/snapd/desktop/applications/**.desktop r,
/var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
/var/lib/snapd/desktop/applications/mimeinfo.cache w,
# Inherit silencer
deny network inet6 stream,

2
apparmor.d/groups/freedesktop/upower
View file

@ -11,7 +11,7 @@ profile upower @{exec_path} {
include <abstractions/base>
# Needed?
deny capability sys_nice,
audit capability sys_nice,
@{exec_path} mr,

60
apparmor.d/groups/freedesktop/upowerd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,36 +11,42 @@ include <tunables/global>
@{exec_path} += @{libexec}/upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
interface=org.freedesktop.{DBus.Properties,UPower*},
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.DBus.Properties
member={PropertiesChanged,GetAll},
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member={SessionNew,SessionRemoved,PrepareForShutdown},
dbus bind bus=system
name=org.freedesktop.UPower,
@{exec_path} mr,
# UPower config file
/etc/UPower/ r,
/etc/UPower/UPower.conf r,
# The history data for the power device
/var/lib/upower/ r,
/var/lib/upower/history-*.dat{,.*} rw,
# Are all of these needed? (#FIXME#)
/dev/input/event* r,
@{sys}/bus/hid/devices/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{run}/udev/data/ r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+input* r,
@ -48,5 +55,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{sys}/bus/hid/devices/ r,
@{sys}/class/input/ r,
@{sys}/class/leds/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/ r,
@{sys}/devices/**/capabilities/* r,
@{sys}/devices/**/power_supply/**/* r,
@{sys}/devices/**/uevent r,
@{sys}/devices/platform/**/leds/**/brightness rw,
@{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
@{sys}/devices/platform/**/leds/**/max_brightness r,
@{sys}/devices/virtual/dmi/id/product_name r,
/dev/input/event* r,
include if exists <local/upowerd>
}

Some files were not shown because too many files have changed in this diff Show more