diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4c5418db..7291de6a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -50,7 +50,7 @@ tests: archlinux: stage: build - image: registry.gitlab.com/archlex/packages/builders/arch + image: registry.gitlab.com/archlex/packages/builders/archlinux script: - sudo pacman -Syu --noconfirm --noprogressbar lsb-release - makepkg -s --noconfirm --noprogressbar diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9fe8cd57..c65cda9f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -30,6 +30,17 @@ in this page all the useful information needed to contribute. you'll see a Compare & pull request button, fill and submit the pull request. +## Projects rules + +A few rules: +1. As these are mandatory access control policies only what it explicitly required + should be authorized. Meaning, you should not allow everything (or a large area) + and blacklist some sub area. +2. A profile **should not break a normal usage of the confined software**. It can + be complex as simply running the program for your own use case is not alway + exhaustive of the program features and required permissions. + + ## Add a profile 1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`. @@ -64,36 +75,65 @@ profile foo @{exec_path} { ## Profile Guidelines -In order to ensure a common structure across the profiles, all new profile should try to follow the guideline presented here. +> This profile guideline is still evloving, feel free to propose improvment -The rules in the profile should be sorted as follow: +In order to ensure a common structure across the profiles, all new profile should +try to follow the guideline presented here. + +The rules in the profile should be sorted as follow: - include - capability +- network +- mount +- remount +- umount - ptrace - signal -- network -- mount +- unix +- dbus (send, receive) send receice - @{exec_path} mr, - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`... - The shared resources: `/usr/share`... - The system configuration: `/etc`... +- The system data: `/var`... - The user data: `owner @{HOME}/`... -- The user configuration (all dotfiles) +- The user configuration, cache and in general all dotfiles - Temporary data: `/tmp/`, `@{run}/`... - Sys files: `@{sys}/`... - Proc files: `@{PROC}/`... - Dev files: `/dev/`... +- Deny rules: `deny`... +- Local include **Other rules** * Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`. +* Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`. * Always use the apparmor variables. * In a rule block, the rule shall be alphabetically sorted. -* When some file access share similar purpose, they shall be sorted together. Eg: - ``` - /etc/machine-id r, - /var/lib/dbus/machine-id r, - ``` +* Subprofile should comes at the end of a profile. +* When some file access share similar purpose, they may be sorted together. Eg: + ``` + /etc/machine-id r, + /var/lib/dbus/machine-id r, + ``` + +The included tool `aa-log` can be useful to explore the apparmor log + +## Abstraction + +This project and the apparmor profile official project provide a large selection +of abstraction to be included in profiles. They should be used. + +For instance, instead of writting: +```sh +owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, +``` +to allow download directory access, you should write + +```sh +include +``` ## AppArmor variables @@ -119,10 +159,11 @@ The rules in the profile should be sorted as follow: **Additional variables available with this project:** * Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt` +* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*` * Extended XDG user directories: - Projects: `@{XDG_PROJECTS_DIR}="Projects"` - Books: `@{XDG_BOOKS_DIR}="Books"` - - Wallpapers: `@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"` + - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"` - Sync: `@{XDG_SYNC_DIR}="Sync"` - Vm: `@{XDG_VM_DIR}=".vm"` - SSH: `@{XDG_SSH_DIR}=".ssh"` diff --git a/README.md b/README.md index d20438db..51f6a276 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,8 @@ ## Description -A set of over 1000 AppArmor profiles which aims is to confine most of Linux base applications and processes. +A set of over 1200 AppArmor profiles which aims is to confine most of Linux base +applications and processes. **Goals & Purpose** - Support all distributions that support AppArmor: @@ -47,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be installed. +* Go (build dependency only) +* rsync (build dependency only) **Archlinux** @@ -58,17 +61,18 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/tunables/xdg-user-dirs ``` -> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) +> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Debian** Build using standard Debian package build tools: ```sh +sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync dpkg-buildpackage -b -d --no-sign -sudo dpkg --install ../apparmor.d_*_all.deb +sudo dpkg -i ../apparmor.d_*_all.deb ``` -> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) +> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Partial install** @@ -131,7 +135,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r **AppArmor configuration** As they are a lot of rules, it is recommended to enable caching AppArmor profiles. -In `/etc/apparmor/parser.conf`, uncomment `write-cache`. +In `/etc/apparmor/parser.conf`, uncomment `write-cache` and `Optimize=compress-fast`. See [Speed up AppArmor Start] on the Arch Wiki for more information. @@ -176,9 +180,9 @@ AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa- **System Recovery** -Issue in some core profiles like the systemd tools, or the desktop environment +Issue in some core profiles like the systemd suite, or the desktop environment can fully break your system. This should not happen a lot, but if it does here -is the procces to recover your system on Archlinux: +is the process to recover your system on Archlinux: 1. Boot from a Archlinux live USB 1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/ vg0` 1. Mount your root partition: `mount /dev/ /mnt` @@ -253,3 +257,4 @@ with this program; if not, write to the Free Software Foundation, Inc., [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles +[write xor execute]: https://en.wikipedia.org/wiki/W%5EX diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict new file mode 100644 index 00000000..7294daab --- /dev/null +++ b/apparmor.d/abstractions/X-strict @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # The unix socket to use to connect to the display + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + /tmp/.X11-unix/* rw, + /tmp/.ICE-unix/* rw, + + # Available Xsessions + /usr/share/xsessions/{,*.desktop} r, + + # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, + owner @{run}/user/@{uid}/ICEauthority r, + + # Xauthority files required for X connections, per user + owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/X11/Xauthority r, + owner @{run}/user/@{uid}/xauth_* r, + + # Xwayland + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + + include if exists diff --git a/apparmor.d/abstractions/X.d/complete b/apparmor.d/abstractions/X.d/complete index f3777e71..19f4b967 100644 --- a/apparmor.d/abstractions/X.d/complete +++ b/apparmor.d/abstractions/X.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Available Xsessions diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index c5e2f6a2..0d3c8e5f 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -1,13 +1,16 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , # Root app location - / r, - /usr/ r, - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, + / r, + /usr/ r, + /{usr/,}{s,}bin/ r, + /{usr/,}{s,}bin/[a-z0-9]* rPUx, + /usr/local/{s,}bin/ r, + /usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index a1f16248..7bf9094c 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -1,14 +1,17 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , # User app location - / r, - /usr/ r, - /{usr/,}bin/ r, - /{usr/,}bin/[a-zA-Z0-9]* rPUx, + / r, + /usr/ r, + /{usr/,}bin/ r, + /{usr/,}bin/[a-zA-Z0-9]* rPUx, + /usr/local/bin/ r, + /usr/local/bin/[a-zA-Z0-9]* rPUx, # Firefox /{usr/,}lib/ r, diff --git a/apparmor.d/abstractions/audio.d/complete b/apparmor.d/abstractions/audio.d/complete index e05e79b8..251063f6 100644 --- a/apparmor.d/abstractions/audio.d/complete +++ b/apparmor.d/abstractions/audio.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /usr/share/sounds/ r, diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ab5e6ab9..39988d60 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -1,20 +1,21 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/writable/localtime r, /usr/share/locale/ r, # Allow to receive some signals - signal (receive) peer=top, signal (receive) peer=htop, + signal (receive) peer=sudo, + signal (receive) peer=top, + signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,cont) peer=systemd, signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, + signal (receive) set=(term,kill) peer=gnome-shell, signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=su, - signal (receive) peer=sudo, ptrace (readby) peer=systemd-coredump, diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common index a9c26ac5..f37182d7 100644 --- a/apparmor.d/abstractions/chromium-common +++ b/apparmor.d/abstractions/chromium-common @@ -39,3 +39,5 @@ owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 00000000..2bb0b4a8 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + + unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"), + + owner @{run}/user/@{uid}/at-spi/ rw, + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write new file mode 100644 index 00000000..348eb6c9 --- /dev/null +++ b/apparmor.d/abstractions/dconf-write @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Permissions for querying dconf settings with write access; use the dconf +# abstraction first, and dconf-write only for specific application's profile. + + /etc/dconf/** r, + + owner @{user_config_dirs}/dconf/user r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 3e58794d..178f9fa7 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -7,6 +7,8 @@ # The /sys/ entries probably should be tightened /dev/ r, + /dev/block/ r, + /dev/disk/{,*/} r, # Regular disk/partition devices /dev/{s,v}d[a-z]* rk, @@ -35,14 +37,46 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/{,*} r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, + # ZFS devices + /dev/zd[0-9]* rk, + /dev/zvol/{,*/} r, + /dev/*pool/ r, + @{sys}/devices/virtual/block/zd[0-9]*/ r, + @{sys}/devices/virtual/block/zd[0-9]*/** r, + # ZRAM devices /dev/zram[0-9]* rk, @{sys}/devices/virtual/block/zram[0-9]*/ r, @{sys}/devices/virtual/block/zram[0-9]*/** r, + # Armbian / DietPi + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r, + @{sys}/devices/virtual/block/ram[0-9]*/ r, + @{sys}/devices/virtual/block/ram[0-9]*/hidden r, + @{sys}/devices/virtual/block/ram[0-9]*/dev r, + @{sys}/devices/virtual/block/ram[0-9]*/size r, + @{sys}/devices/virtual/block/ram[0-9]*/ro r, + @{sys}/devices/virtual/block/ram[0-9]*/removable r, + @{sys}/devices/virtual/block/ram[0-9]*/holders/ r, + @{sys}/devices/virtual/block/ram[0-9]*/slaves/ r, +# investigate +# /dev/ram[0-9]* r, + # CD-ROM /dev/sr[0-9]* rk, @@ -57,27 +91,15 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b24[0-9]:[0-9]* r, + @{run}/udev/data/b25[0-4]:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ec836de5..fd5c7b73 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -39,6 +39,11 @@ @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, + # ZFS devices + /dev/zd[0-9]* rwk, + @{sys}/devices/virtual/block/zd[0-9]*/ r, + @{sys}/devices/virtual/block/zd[0-9]*/** r, + # ZRAM devices /dev/zram[0-9]* rwk, @{sys}/devices/virtual/block/zram[0-9]*/ r, @@ -63,28 +68,16 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b24[0-9]:[0-9]* r, + @{run}/udev/data/b25[0-4]:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b2:[0-9]* r, # for /dev/fd* + @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 77a045e6..b580e611 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only owner @{HOME}/.icons/default/index.theme r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 24f187ac..103ac89a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # abstract path in ibus < 1.5.22 uses /tmp @@ -16,3 +16,7 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*"), + + unix (connect, send, receive, accept, bind, listen) + type=stream + addr="@/home/*/.cache/ibus/dbus-*", diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc index 5549fb8c..f925ac27 100644 --- a/apparmor.d/abstractions/libvirt-lxc +++ b/apparmor.d/abstractions/libvirt-lxc @@ -3,7 +3,9 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # allow receiving signals from libvirtd + include + + # Allow receiving signals from libvirtd signal (receive) peer=libvirtd, umount, @@ -119,4 +121,4 @@ deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, - include if exists + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index d238fc24..26acd605 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -1,8 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + include + include + include + # required for reading disk images capability dac_override, capability dac_read_search, @@ -251,5 +255,4 @@ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, - # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container index 9b9bdd43..9e2e8f2e 100644 --- a/apparmor.d/abstractions/lxc/start-container +++ b/apparmor.d/abstractions/lxc/start-container @@ -11,7 +11,7 @@ # currently blocked by apparmor bug mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,}, - mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, + mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 7c6f49e3..a0306e00 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -1,24 +1,30 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - /etc/hosts r, - /etc/host.conf r, - /etc/resolv.conf r, + @{etc_ro}/default/nss r, + @{etc_ro}/gai.conf r, + @{etc_ro}/group r, + @{etc_ro}/host.conf r, + @{etc_ro}/hosts r, + @{etc_ro}/nsswitch.conf r, + @{etc_ro}/passwd r, + @{etc_ro}/protocols r, + @{etc_ro}/resolv.conf r, + @{etc_ro}/services r, + @{run}/systemd/resolve/stub-resolv.conf r, - /etc/nsswitch.conf r, - /etc/passwd r, - /etc/gai.conf r, - /etc/group r, - /etc/protocols r, - /etc/default/nss r, - /etc/services r, # NSS records from systemd-userdbd.service @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users + @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs + @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined + @{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index bef2e478..b5427859 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -1,11 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + /{usr/,}bin/ r, + /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r, - /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r, + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r, diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor deleted file mode 100644 index a6719b95..00000000 --- a/apparmor.d/abstractions/tor +++ /dev/null @@ -1,33 +0,0 @@ -# vim:syntax=apparmor - - include - include - include - - network tcp, - network udp, - - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - /usr/bin/tor r, - /usr/sbin/tor r, - - # Needed by obfs4proxy - /proc/sys/net/core/somaxconn r, - - /proc/sys/kernel/random/uuid r, - /sys/devices/system/cpu/ r, - /sys/devices/system/cpu/** r, - - /etc/tor/* r, - /usr/share/tor/** r, - - /usr/bin/obfsproxy PUx, - /usr/bin/obfs4proxy Pix, - - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index e6dc6e8f..0f4d183e 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -4,14 +4,11 @@ abi , - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, - - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + + owner @{user_download_dirs}/ r, + owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, # For SSHFS mounts (without owner as files in such mounts can be owned by different users) @{HOME}/mount-sshfs/ r, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index cc648448..911cc288 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,20 +2,23 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, +# Give read access on all defined user directories. It should only be used if +# access to ALL folders is required. - owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 0ffe6622..21c2fdc8 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -2,17 +2,12 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_music_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + owner @{user_projects_dirs}/{,**} rwl, + owner @{user_videos_dirs}/{,**} rwl, diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 2d5c3dea..43bb91c9 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index f4c7913d..ca89ccec 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -6,8 +6,8 @@ abi , include -@{AS_LIBDIR} = @{MOUNTS}/*/android-studio -@{AS_SDKDIR} = @{MOUNTS}/*/SDK +@{AS_LIBDIR} = @{MOUNTS}/android-studio +@{AS_SDKDIR} = @{MOUNTS}/SDK @{AS_HOMEDIR} = @{HOME}/.AndroidStudio* @{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 13afe288..cea565a1 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom profile atom @{exec_path} { include + include include include include @@ -86,18 +87,14 @@ profile atom @{exec_path} { # Git dirs / r, @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/atom/ r, - owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**, + owner @{MOUNTS}/ r, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_config_dirs}/git/config r, /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or atom gets crash with the following error: diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index daf63e0a..08767209 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -75,12 +75,8 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR} rw, - owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, - - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**, + owner @{user_books_dirs} rw, + owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index e2bd477c..af1b4d05 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code profile code @{exec_path} { include + include include include include @@ -63,18 +64,11 @@ profile code @{exec_path} { owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, # Git dirs - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/code/ r, - owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or code gets crash with the following error: diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 85ea3cf7..ac97ac6e 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -56,8 +56,8 @@ profile filezilla @{exec_path} { /{usr/,}lib/firefox/firefox rPUx, # FTP share folder - owner @{MOUNTS}/*/ftp/ r, - owner @{MOUNTS}/*/ftp/** rw, + owner @{MOUNTS}/ftp/ r, + owner @{MOUNTS}/ftp/** rw, # Silencer / r, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 2cafcf3f..17512fec 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -15,6 +15,7 @@ include profile freetube @{exec_path} { include include + include include include include @@ -67,10 +68,6 @@ profile freetube @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs} r, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 943b9811..00fa0bcd 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -12,6 +12,7 @@ include profile telegram-desktop @{exec_path} { include include + include include include include @@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Needed when saving files as, or otherwise the app crashes /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 55756ea3..362c1be4 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -17,6 +17,7 @@ include profile thunderbird @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e354e6ed..02cfe59a 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -1,19 +1,22 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get +@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include + include include include include + include + include capability chown, capability dac_override, @@ -24,15 +27,46 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability setgid, capability setuid, + capability sys_nice, signal (send) peer=apt-methods-*, + unix (receive, send) type=stream peer=(label=apt-esm-json-hook), + + dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*} + interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.Introspectable,PackageKit} + member={StateHasChanged,Introspect} + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit + peer=(name=org.freedesktop.login[0-9]), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus{,.Introspectable} + member={RequestName,GetConnectionUnixProcessID,Introspect} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority} + member={CheckAuthorization,Introspect}, + + dbus bind bus=system + name= org.debian.apt, + @{exec_path} mr, + /{usr/,}{s,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/echo rix, /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, /{usr/,}bin/test rix, /{usr/,}bin/touch rix, @@ -45,81 +79,95 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/apt-show-versions rPx, /{usr/,}bin/debtags rPx, + /{usr/,}bin/df rPx, + /{usr/,}bin/dmesg rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/etckeeper rPx, /{usr/,}bin/ps rPx, + /{usr/,}bin/snap rPUx, + /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - /usr/share/command-not-found/cnf-update-db rPx, - - # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, - - /var/lib/apt/lists/** rw, - /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, - - /var/log/apt/eipp.log.xz w, - /var/log/apt/{term,history}.log w, # For building the source after the download process is finished (apt-get source --compile) - /{usr/,}bin/dpkg-buildpackage rPUx, + /{usr/,}bin/dpkg-buildpackage rPUx, + + # Methods to use to download packages from the net + /{usr/,}lib/apt/methods/* rPx, + + # Ubuntu specificities + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + /usr/share/command-not-found/cnf-update-db rPx, # For editing the sources.list file - /etc/apt/sources.list rwk, /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, # For changelogs - /tmp/apt-changelog-*/ w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - /tmp/apt-changelog-*/*.changelog w, - /{usr/,}bin/sensible-pager rCx -> pager, + /{usr/,}bin/sensible-pager rCx -> pager, - /var/lib/dpkg/** r, - /var/lib/dpkg/lock{,-frontend} rwk, + /usr/share/xml/iso-codes/{,**} r, - owner @{PROC}/@{pid}/fd/ r, - - /dev/ptmx rw, - - /var/lib/dbus/machine-id r, + /etc/apt/sources.list rwk, /etc/machine-id r, - - /tmp/ r, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + /var/lib/dbus/machine-id r, /var/cache/apt/ r, /var/cache/apt/** rwk, + /var/crash/{,*.@{uid}.crash} rw, + + /var/lib/apt/extended_states{,.*} rw, + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/periodic/update-success-stamp rw, + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + /var/lib/update-notifier/dpkg-run-stamp rw, + + /var/log/apt/{,**} rw, + # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + /tmp/ r, + /tmp/apt-changelog-*/ w, + /tmp/apt-changelog-*/*.changelog w, + owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + owner /tmp/apt.conf.* rw, + owner /tmp/apt.data.* rw, + + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /dev/ptmx rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, profile editor flags=(complain) { include include - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - - owner @{HOME}/.selected_editor r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/which{,.debianutils} rix, /usr/share/vim/{,**} r, - /etc/vim/{,**} r, - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, /etc/apt/sources.list rw, + /etc/vim/{,**} r, + + owner @{HOME}/.viminfo{,.tmp} rw, + owner @{HOME}/.selected_editor r, + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, } @@ -129,40 +177,37 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/less rix, + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, + /root/ r, # For shell pwd owner @{HOME}/.less* rw, owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, - # For shell pwd - /root/ r, - } profile dpkg-source flags=(complain) { include - include include + include /{usr/,}bin/dpkg-source mr, /{usr/,}bin/perl r, - /{usr/,}bin/tar rix, /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/gunzip rix, /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 5a47c906..d1205544 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,23 +10,23 @@ include @{exec_path} = /{usr/,}bin/apt-cache profile apt-cache @{exec_path} { include - include include + include @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index dd703329..48c0f8af 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -9,8 +9,8 @@ include @{exec_path} = /{usr/,}bin/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include include + include capability dac_read_search, @@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) { /{usr/,}bin/mount rCx -> mount, /{usr/,}bin/umount rCx -> umount, + /etc/fstab r, + # Are all of these needed? (#FIXME#) @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{sys}/devices/**/uevent r, @{run}/udev/data/* r, - /etc/fstab r, - # For cd-roms /media/cdrom[0-9]/ r, /media/cdrom[0-9]/**/ r, @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/**/ r, - @{MOUNTS}/*/*/.disk/info r, - @{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/ r, + @{MOUNTS}/**/ r, + @{MOUNTS}/.disk/info r, + @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index bd3d7df8..256d0883 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,13 +10,15 @@ include @{exec_path} = /{usr/,}bin/apt-config profile apt-config @{exec_path} { include - include include + include @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + owner /tmp/tmp*/apt.conf r, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 49c8253e..d12e7816 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - owner /tmp/*.{config,template}.?????? rw, - # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + owner /tmp/*.{config,template}.?????? rw, + + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 215eb3a6..727e3f3c 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,13 +26,13 @@ profile apt-file @{exec_path} { /etc/apt/apt-file.conf r, - owner @{PROC}/@{pid}/fd/ r, - # For shell pwd /root/ r, # file_inherit /var/log/cron-apt/temp w, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 0641c9bc..c9061155 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/apt-forktracer profile apt-forktracer @{exec_path} { include - include include + include @{exec_path} mr, @@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} { /{usr/,}bin/apt-cache rPx, /usr/share/apt-forktracer/{,**} r, + /usr/share/distro-info/debian.csv r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_InRelease r, /var/cache/apt/pkgcache.bin{,.*} rw, - /usr/share/distro-info/debian.csv r, - - owner @{PROC}/@{pid}/fd/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /etc/dpkg/origins/debian r, /etc/debian_version r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2ba7e898..f0f79875 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,21 +15,21 @@ profile apt-key @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/find rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/find rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, /{usr/,}bin/sort rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + /{usr/,}bin/touch rix, /{usr/,}bin/tr rix, /{usr/,}bin/uniq rix, /{usr/,}bin/wc rix, @@ -73,6 +74,11 @@ profile apt-key @{exec_path} { /{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-connect-agent rix, + /usr/share/gnupg/sks-keyservers.netCA.pem r, + + /etc/hosts r, + /etc/inputrc r, + /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw, /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, /etc/apt/trusted.gpg{,~,.tmp} rw, @@ -86,18 +92,13 @@ profile apt-key @{exec_path} { owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /usr/share/gnupg/sks-keyservers.netCA.pem r, - - /etc/hosts r, - /etc/inputrc r, - - # File_inherit - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, - } include if exists diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7f27b7d8..6ed3835a 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} { include include - # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the - # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is - # used by APT to download packages, package list, and other things using APT methods as an - # unprivileged user/group (_apt/nogroup). capability setgid, capability setuid, - signal (receive) peer=apt, signal (receive) peer=apt-get, + signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=synaptic, + signal (receive) peer=unattended-upgrade, + signal (receive) peer=update-manager, network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index d6230d07..37bc7421 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/** r, - /usr/share/*/**.dpkg-divert.tmp w, + /usr/share/*/** w, /var/lib/dpkg/diversions rw, /var/lib/dpkg/diversions-new rw, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index bd958a39..79c4f042 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -35,6 +36,9 @@ profile dpkg-preconfigure @{exec_path} { owner /tmp/*.config.* rwPUx, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include @@ -44,9 +48,7 @@ profile dpkg-preconfigure @{exec_path} { capability dac_read_search, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, - owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index 8cb2f05d..8a52dd1e 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} { # file_inherit /tmp/#[0-9]*[0-9] rw, + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ac196d38..ad0867c9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/reportbug profile reportbug @{exec_path} { include + include include include include @@ -63,10 +64,6 @@ profile reportbug @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/gpg rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # For sending additional information /etc/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 787333c6..b3ac117d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,10 +10,12 @@ include @{exec_path} = /{usr/,}bin/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include - include capability chown, capability dac_override, @@ -26,41 +29,64 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (send) peer=apt-methods-http, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/uname rix, + /{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/on_ac_power rPx, /{usr/,}{s,}bin/sendmail rPUx, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/etckeeper rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/uname rix, /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/distro-info/* r, - /usr/share/dpkg/*table r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, - /etc/apt/preferences.d/{,**} r, - /etc/apt/sources.list.d/{,**} r, /etc/machine-id r, /var/log/unattended-upgrades/*.log rw, - /var/lib/apt/extended_states r, - /var/lib/apt/lists/{,**} r, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, - /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, /var/cache/apt/{,**} rwk, @@ -74,9 +100,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/resolvconf/resolv.conf r, - owner /tmp/#[0-9]* rw, + owner /tmp/apt-dpkg-install-*/{,*} rw, owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + + /dev/ptmx rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index a8b0028b..0e9f43b9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,11 +9,31 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include + include include include + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.{Introspectable,Properties} + member={Introspect,Get}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PrepareForShutdown, + @{exec_path} mr, + /{usr/,}bin/ischroot rix, + /usr/share/unattended-upgrades/{,*} r, /etc/apt/apt.conf.d/{,*} r, diff --git a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng deleted file mode 100644 index c4ceb489..00000000 --- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Felix Geyer -# SPDX-License-Identifier: GPL-2.0-only - -@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng - -include - -profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { - include - include - include - include - - /etc/apt-cacher-ng/ r, - /etc/apt-cacher-ng/** r, - /etc/hosts.{deny,allow} r, - /usr/sbin/apt-cacher-ng mr, - - /var/lib/apt-cacher-ng/** r, - /{,var/}run/apt-cacher-ng/* rw, - @{APT_CACHER_NG_CACHE_DIR}/ r, - @{APT_CACHER_NG_CACHE_DIR}/** rwl, - /var/log/apt-cacher-ng/ r, - /var/log/apt-cacher-ng/* rw, - /{,var/}run/systemd/notify w, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/ed ixr, - /{usr/,}bin/red ixr, - /{usr/,}bin/sed ixr, - - /usr/lib/apt-cacher-ng/acngtool ixr, - - # Allow serving local documentation - /etc/mime.types r, - /usr/share/doc/apt-cacher-ng/html/** r, - - # used by libevent - @{PROC}/sys/kernel/random/uuid r, - - include if exists -} diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 00541513..870bbd13 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,6 +14,7 @@ include profile brave @{exec_path} { include include + include include include include @@ -105,10 +106,6 @@ profile brave @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or Brave crash with the following error: diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 83947a43..2c1ac4ef 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/chrome-gnome-shell profile chrome-gnome-shell @{exec_path} { include - include + include include include include @@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index d4c4e6bf..f1cfd87d 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-desktop-menu rPx, + /{usr/,}bin/xdg-email rPx, /{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rCx -> open, @@ -106,9 +107,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/logins.json r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, owner /tmp/scoped_dir*/{,**} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3915d065..eee27864 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/tmp/ r, /tmp/ r, owner /tmp/* rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 68105d12..1359d53f 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -12,7 +12,7 @@ include @{exec_path} = /{usr/,}lib/firefox/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /tmp/ r, /var/tmp/ r, owner /tmp/[0-9a-f]*.{dmp,extra} rw, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 9727e24c..01e1bf9b 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -13,6 +13,7 @@ include @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} profile opera @{exec_path} { include + include include include include @@ -83,10 +84,6 @@ profile opera @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or opera crashes with the following error: diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index de381ebc..ec863a5a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -11,6 +11,9 @@ include profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include + include + include + include include capability audit_write, @@ -34,14 +37,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{libexec}/* rPUx, - /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/ r, - /{usr/,}bin/[a-z0-9]* rPUx, + @{libexec}/* rPUx, + /{usr/,}lib/ibus/ibus-* rPx, + /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, + # Xubuntu + /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, + /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, + + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, /etc/dbus-1/{,**} r, - /etc/machine-id r, /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, @@ -63,13 +70,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/bus w, - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]*.ref rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{sys}/kernel/security/apparmor/.access rw, @@ -77,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index f9a2d8e2..2c02babd 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -18,10 +18,16 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, - /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, + /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/software-properties/software-properties-dbus rPx, + + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, /usr/share/dbus-1/{,**} r, + /etc/dbus-1/{,**} r, + owner @{PROC}/@{pid}/oom_score_adj rw, include if exists diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 80b7e6f1..4becf5e7 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/dbus-run-session profile dbus-run-session @{exec_path} { include - include + include signal (receive) set=(term, kill, hup) peer=gdm*, signal (send) set=term peer=dbus-daemon, @@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/dconf/profile/gdm r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.cache/dconf/ rw, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 253deed0..baa8420c 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/ibus-daemon profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include signal (receive) set=(usr1) peer=gnome-shell, @@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 131ec117..9e3ebd25 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -10,7 +10,7 @@ include @{exec_path} += @{libexec}/ibus-dconf profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/user rw, /var/lib/gdm/.config/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 39025957..eacefcd1 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=term peer=ibus-daemon, @@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 23f43557..893c7cf4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -10,10 +10,12 @@ include @{exec_path} += @{libexec}/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} { include - include + include + include include include include + include include signal (receive) set=term peer=ibus-daemon, @@ -32,17 +34,10 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, include if exists diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index e13dc99c..29c689e9 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -9,14 +9,15 @@ include @{exec_path} = @{libexec}/ibus-memconf profile ibus-memconf @{exec_path} { include + include include @{exec_path} mr, + /etc/machine-id r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index ba452812..2438a72a 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,6 +10,8 @@ include @{exec_path} += @{libexec}/ibus-portal profile ibus-portal @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, - owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index b36b22cf..ee1c9726 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,14 +19,14 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 21def9d2..3c77eca7 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,17 +7,18 @@ abi , include -@{exec_path} = /{usr/,}sbin/cron +@{exec_path} = /{usr/,}{s,}bin/cron profile cron @{exec_path} { include - include + include include + include include - capability setuid, - capability setgid, - capability dac_read_search, capability audit_write, + capability dac_read_search, + capability setgid, + capability setuid, capability sys_resource, network netlink raw, @@ -26,36 +27,21 @@ profile cron @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/run-parts rPx, - /etc/crontab r, - - # All stuff that is executed via the /etc/cron.d/ dir - /etc/cron.d/{,*} r, - /{usr/,}sbin/cron-apt rPx, - /{usr/,}bin/debsecan rPx, /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - /{usr/,}sbin/e2scrub_all rPUx, - /etc/cron.daily/popularity-contest rPx, /{usr/,}lib/sysstat/debian-sa1 rPUx, - /{usr/,}{s,}bin/sendmail rPUx, - - # All stuff that is executed via the user crontab files - /{usr/,}bin/apt-file rPx, - /{usr/,}bin/apt-key rPx, - /{usr/,}bin/rsync rPUx, /usr/share/rsync/scripts/rrsync rPUx, - /{usr/,}bin/gpg rPx, - /{usr/,}sbin/update-pciids rPx, - /{usr/,}bin/borg rPx, + /usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY - # Cron scripts in the /etc/cron.*/ dir to execute - /{usr/,}bin/run-parts rCx -> run-parts, - - # Send results using email - /{usr/,}sbin/exim4 rPx, + /etc/cron.d/{,*} r, + /etc/crontab r, + /etc/default/locale r, + /etc/environment r, + /etc/security/limits.d/{,**} r, /var/spool/cron/crontabs/{,*} r, @@ -66,56 +52,7 @@ profile cron @{exec_path} { owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, - - /etc/environment r, - - /etc/default/locale r, - - @{PROC}/1/limits r, - /etc/security/limits.d/ r, - - profile run-parts { - include - - /{usr/,}bin/run-parts mr, - - /etc/cron.{hourly,daily,weekly,monthly}/ r, - /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, - /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, - /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, - /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, - /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, - /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, - /etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/man-db rPx, - /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, - /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, - /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx, - /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, - /etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx, - - #/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx, - #/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx, - #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx, - #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx, - #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx, - - # file_inherit - owner /tmp/#[0-9]*[0-9] rw, - - include if exists - } + @{PROC}/1/limits r, include if exists } diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron new file mode 100644 index 00000000..f4aa8d12 --- /dev/null +++ b/apparmor.d/groups/cron/cron-anacron @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron +profile cron-anacron @{exec_path} { + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{s,}bin/anacron rPx, + + include if exists +} diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport new file mode 100644 index 00000000..3c37534a --- /dev/null +++ b/apparmor.d/groups/cron/cron-apport @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport +profile cron-apport @{exec_path} { + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, + + / r, + /var/crash/ r, + /var/crash/*.crash w, + + include if exists +} diff --git a/apparmor.d/groups/apt/cron-apt b/apparmor.d/groups/cron/cron-apt similarity index 100% rename from apparmor.d/groups/apt/cron-apt rename to apparmor.d/groups/cron/cron-apt diff --git a/apparmor.d/groups/apt/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat similarity index 100% rename from apparmor.d/groups/apt/cron-apt-compat rename to apparmor.d/groups/cron/cron-apt-compat diff --git a/apparmor.d/groups/apt/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs similarity index 100% rename from apparmor.d/groups/apt/cron-apt-listbugs rename to apparmor.d/groups/cron/cron-apt-listbugs diff --git a/apparmor.d/groups/apt/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions similarity index 100% rename from apparmor.d/groups/apt/cron-apt-show-versions rename to apparmor.d/groups/cron/cron-apt-show-versions diff --git a/apparmor.d/groups/apt/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index similarity index 100% rename from apparmor.d/groups/apt/cron-apt-xapian-index rename to apparmor.d/groups/cron/cron-apt-xapian-index diff --git a/apparmor.d/groups/apt/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude similarity index 100% rename from apparmor.d/groups/apt/cron-aptitude rename to apparmor.d/groups/cron/cron-aptitude diff --git a/apparmor.d/groups/apt/cron-debsums b/apparmor.d/groups/cron/cron-debsums similarity index 100% rename from apparmor.d/groups/apt/cron-debsums rename to apparmor.d/groups/cron/cron-debsums diff --git a/apparmor.d/groups/apt/cron-debtags b/apparmor.d/groups/cron/cron-debtags similarity index 100% rename from apparmor.d/groups/apt/cron-debtags rename to apparmor.d/groups/cron/cron-debtags diff --git a/apparmor.d/groups/apt/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest similarity index 100% rename from apparmor.d/groups/apt/cron-popularity-contest rename to apparmor.d/groups/cron/cron-popularity-contest diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 22ea486e..6c761146 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -9,25 +9,50 @@ include @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon @{exec_path} += @{libexec}/accounts-daemon -profile accounts-daemon @{exec_path} { +profile accounts-daemon @{exec_path} flags=(attach_disconnected) { include + include include include capability dac_read_search, + capability setgid, + capability setuid, capability sys_nice, capability sys_ptrace, ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,Changed}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + + dbus bind bus=system + name=org.freedesktop.Accounts, + @{exec_path} mr, + /usr/share/language-tools/language-validate rPx, + /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, - /etc/gdm/ r, - /etc/gdm/custom.conf rw, - /etc/gdm/custom.conf.* rw, + /etc/default/locale r, + /etc/gdm{3,}/ r, + /etc/gdm{3,}/custom.conf rw, + /etc/gdm{3,}/custom.conf.* rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -35,6 +60,8 @@ profile accounts-daemon @{exec_path} { owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, + @{HOME}/ r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 9f4df2b1..c663b666 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -11,11 +11,13 @@ include @{exec_path} += @{libexec}/at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include - include + include + include include signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (send) set=(term hup kill) peer=dbus-daemon, network inet stream, @@ -33,11 +35,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/{,bus} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - + /var/lib/lightdm/.Xauthority r, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 939496d8..8fa2940b 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,21 +11,20 @@ include @{exec_path} += @{libexec}/at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include - # Needed? - deny capability sys_nice, - signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{HOME}/.Xauthority r, /var/lib/lightdm/.Xauthority r, + + owner @{HOME}/.Xauthority r, + owner @{HOME}/.xsession-errors w, + owner @{run}/user/@{uid}/gdm/Xauthority r, - # file_inherit - owner @{HOME}/.xsession-errors w, owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index cf5e5daa..444e83c8 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,11 +11,30 @@ include @{exec_path} += @{libexec}/colord profile colord @{exec_path} flags=(attach_disconnected) { include + include include include network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.{DBus.Properties,ColorManager*}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.ColorManager, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, @@ -37,7 +56,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/icc/edid-*.icc r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 0f3cfa1f..f395bb11 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,25 +9,41 @@ include @{exec_path} = /{usr/,}lib/colord/colord-sane @{exec_path} += @{libexec}/colord-sane -profile colord-sane @{exec_path} flags=(complain) { +profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include + include include + network inet dgram, + network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.{DBus.Properties,ColorManager}, + + dbus send bus=system path=/ + interface=org.freedesktop.{DBus.Peer,Avahi.Server} + member={GetAPIVersion,GetState,ServiceBrowserNew,Ping} + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, - /etc/sane.d/{,**} r, + /usr/share/snmp/mibs/{,*} r, + /etc/sane.d/{,**} r, /etc/snmp/snmp.conf r, + + /var/lib/snmp/{mib,cert}_indexes/ rw, /var/lib/snmp/mibs/{iana,ietf}/ r, /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - /var/lib/snmp/{mib,cert}_indexes/ rw, - /usr/share/snmp/mibs/{,*} r, + @{run}/systemd/journal/socket rw, @{sys}/bus/scsi/devices/ r, - @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 78d639a5..3c57adf2 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -6,7 +6,8 @@ abi , include -@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session +@{exec_path} = /{usr/,}lib/colord/colord-session +@{exec_path} += @{libexec}/colord-session profile colord-session @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 16212294..536080df 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,17 +9,14 @@ include @{exec_path} = /{usr/,}bin/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, @{exec_path} mr, - /etc/dconf/{,**} r, /etc/dconf/db/** rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index d219dc27..5a8c60e9 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,15 @@ include @{exec_path} = /{usr/,}bin/dconf-editor profile dconf-editor @{exec_path} { include - include - include + include include + include include - include + include @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + /usr/share/glib-2.0/schemas/{,*} r, # When GSETTINGS_BACKEND=keyfile owner @{user_config_dirs}/glib-2.0/ rw, @@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} { owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, - /usr/share/glib-2.0/schemas/{,*} r, - owner @{HOME}/.Xauthority r, - - # file_inherit owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 4782267f..a0a3e09d 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -9,18 +9,14 @@ include @{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - - # Needed? - deny capability sys_nice, + include + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install new file mode 100644 index 00000000..d5903645 --- /dev/null +++ b/apparmor.d/groups/freedesktop/desktop-file-install @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/desktop-file-install +profile desktop-file-install @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index af5198d5..37871075 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -7,15 +7,65 @@ abi , include @{exec_path} = @{libexec}/geoclue -profile geoclue @{exec_path} { +profile geoclue @{exec_path} flags=(attach_disconnected) { include + include network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2*}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={AllForNow,CacheExhausted}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged,PropertiesChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus bind bus=system + name=org.freedesktop.GeoClue2, + @{exec_path} mr, /etc/geoclue/{,**} r, + @{run}/systemd/journal/socket rw, + @{PROC}/@{pids}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 596f5725..09d3cb55 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,12 +11,26 @@ include profile pipewire @{exec_path} { include include + include + include include ptrace (read), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit[0-9]), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit[0-9]), + @{exec_path} mr, + /{usr/,}bin/pipewire-media-session rPx, + /usr/share/pipewire/pipewire.conf r, /etc/machine-id r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index c21a8314..eca96bdf 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -11,6 +11,7 @@ include profile pipewire-media-session @{exec_path} { include include + include include include @@ -19,6 +20,16 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit1 + member=MakeThreadRealtime + peer=(name=org.freedesktop.RealtimeKit1), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index 17c2a2b8..b53b39fe 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} { /{usr/,}bin/grep rix, /{usr/,}bin/plymouth rPx, + /etc/plymouth/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd new file mode 100644 index 00000000..2cab9318 --- /dev/null +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/plymouthd +profile plymouthd @{exec_path} { + include + include + include + + capability sys_admin, + capability sys_tty_config, + + network netlink raw, + + signal (send) peer=unconfined, + + unix type=stream addr="@/org/freedesktop/plymouthd", + unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), + + @{exec_path} mr, + + /usr/share/plymouth/{,**} r, + + /etc/default/keyboard r, + /etc/plymouth/plymouthd.conf r, + /etc/vconsole.conf r, + + @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:* r, + @{run}/udev/data/c29:* r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/graphics/ r, + @{sys}/devices/pci[0-9]*/**/{,uevent} r, + @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/acpi/bgrt/{,*} r, + + @{PROC}/cmdline r, + + /dev/ptmx rw, + /dev/tty[0-9]* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4e9e67fe..16547bd4 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include @@ -28,6 +29,14 @@ profile polkit-agent-helper @{exec_path} { signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=AuthenticationAgentResponse2, + @{exec_path} mr, # file_inherit @@ -35,7 +44,6 @@ profile polkit-agent-helper @{exec_path} { owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 38ee6a3b..687664b4 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,14 +10,15 @@ include @{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9] profile polkit-mate-authentication-agent @{exec_path} { include - include - include - include - include - include + include include include + include + include + include + include include + include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} { /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/X11/xkb/** r, /var/lib/dbus/machine-id r, /etc/machine-id r, owner @{HOME}/.Xauthority r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /usr/share/X11/xkb/** r, - - # file_inherit owner /dev/tty[0-9]* rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 289496ba..5847fcff 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,24 +11,28 @@ include @{exec_path} += @{libexec}/polkitd profile polkitd @{exec_path} { include + include include - capability setuid, capability setgid, + capability setuid, + capability sys_nice, capability sys_ptrace, - audit deny capability net_admin, + audit capability net_admin, ptrace (read), - @{exec_path} mr, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, + + dbus bind bus=system + name=org.freedesktop.PolicyKit[0-9], + + @{exec_path} mr, /etc/machine-id r, @@ -52,7 +56,14 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, # Silencer deny /.cache/ rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index c5787e2c..2a8d08de 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,9 +15,13 @@ profile pulseaudio @{exec_path} { include include include + include include include + include + include include + include ptrace (trace) peer=@{profile_name}, @@ -29,65 +34,20 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, - @{exec_path} mrix, + dbus (send) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={GetState,AddService,AddServiceSubtype,Commit} + peer=(name=org.freedesktop.Avahi), - /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, - /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix, - /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + dbus (receive) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member=StateChanged + peer=(name=org.freedesktop.Avahi), - # PulseAudio files - /usr/share/pulseaudio/{,**} r, - /{usr/,}lib/pulse-*/modules/*.so mr, - - # PulseAudio home config files - owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_config_dirs}/dconf/user r, - - owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, - - # Needed when PulseAudio is started via the start-pulseaudio-x11 script - owner @{HOME}/.Xauthority r, - - # Needed when PulseAudio is started via gdm - owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{HOME}/.ICEauthority r, - - # TCP wrap - /etc/hosts.{allow,deny} r, - - owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/pulse/{,*} rw, - owner @{run}/user/@{uid}/pulse/*.lock k, - - /usr/share/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{sys}/devices/**/sound/**/{uevent,pcm_class} r, - @{run}/udev/data/+sound* r, - @{run}/udev/data/c116:[0-9]* r, # For ALSA - - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, - - deny @{sys}/module/apparmor/parameters/enabled r, - - @{run}/systemd/users/@{uid} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/ICEauthority r, - owner @{run}/user/@{uid}/systemd/notify rw, - - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/cmdline r, - - # DBus dbus (send) bus=session path=/org/freedesktop/DBus @@ -138,15 +98,47 @@ profile pulseaudio @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), - unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), + dbus (send) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,EntryGroupNew} + peer=(name=org.freedesktop.Avahi), - # The orcexec.* file is JIT compiled code for various GStreamer elements. - # If one is blocked the next is used instead. - owner @{run}/user/@{uid}/orcexec.* mrw, - #owner @{HOME}/orcexec.* mrw, - #owner /tmp/orcexec.* mrw, + dbus (receive) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=org.freedesktop.Avahi), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.hostname[0-9] + member=Get + peer=(name=/org/freedesktop/hostname[0-9]), + + @{exec_path} mrix, + + /{usr/,}@{libexec}/pulse/gsettings-helper mrix, + /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + /{usr/,}lib/pulse-*/modules/*.so mr, + + /usr/share/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/pulseaudio/{,**} r, + /usr/share/ubuntu/applications/{,*} r, + + /var/lib/snapd/desktop/applications/ r, # For GDM owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, @@ -164,13 +156,33 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, + owner @{user_config_dirs}/pulse/{,**} rw, + + owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + + owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/pulse/{,*} rw, + owner @{run}/user/@{uid}/pulse/*.lock k, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/systemd/users/@{uid} r, + + @{run}/udev/data/+sound* r, + @{run}/udev/data/c116:[0-9]* r, # For ALSA + + @{sys}/class/sound/ r, + @{sys}/devices/**/sound/**/{uevent,pcm_class} r, + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + + deny @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/cmdline r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # Snap - /var/lib/snapd/desktop/applications/ r, - /usr/{local/,}share/ubuntu/applications/{,*} r, - include if exists } diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 0ccc239e..608595e6 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/exports/share/applications/{,**/} r, - /var/lib/flatpak/exports/share/applications/**.desktop r, - /var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r, + /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r, + /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w, - /var/lib/flatpak/app/**/export/share/applications/**.desktop r, + /var/lib/snapd/desktop/applications/{,**/} r, + /var/lib/snapd/desktop/applications/**.desktop r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, + /var/lib/snapd/desktop/applications/mimeinfo.cache w, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 77c69921..db4eb0c7 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -11,7 +11,7 @@ profile upower @{exec_path} { include # Needed? - deny capability sys_nice, + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 11873361..22c62c33 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,36 +11,42 @@ include @{exec_path} += @{libexec}/upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + + dbus bind bus=system + name=org.freedesktop.UPower, + @{exec_path} mr, - # UPower config file /etc/UPower/ r, /etc/UPower/UPower.conf r, - # The history data for the power device /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - # Are all of these needed? (#FIXME#) - /dev/input/event* r, - @{sys}/bus/hid/devices/ r, - @{sys}/class/leds/ r, - @{sys}/class/power_supply/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/**/power_supply/**/* r, - @{sys}/devices/**/uevent r, - @{sys}/devices/**/capabilities/* r, - @{sys}/devices/virtual/dmi/id/product_name r, - - @{sys}/devices/platform/**/leds/**/max_brightness r, - @{sys}/devices/platform/**/leds/**/brightness rw, - @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, - @{run}/udev/data/ r, @{run}/udev/data/+power_supply* r, @{run}/udev/data/+input* r, @@ -48,5 +55,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, + @{sys}/bus/hid/devices/ r, + @{sys}/class/input/ r, + @{sys}/class/leds/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/ r, + @{sys}/devices/**/capabilities/* r, + @{sys}/devices/**/power_supply/**/* r, + @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/leds/**/brightness rw, + @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, + @{sys}/devices/platform/**/leds/**/max_brightness r, + @{sys}/devices/virtual/dmi/id/product_name r, + + /dev/input/event* r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon new file mode 100644 index 00000000..a069396d --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xdg-desktop-icon +profile xdg-desktop-icon @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cc70c3bc..1570e6b3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,7 +9,10 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include - include + include + include + include + include include include @@ -19,6 +22,26 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={StateChanged,CheckPermissions}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -28,21 +51,18 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - /{usr/,}lib/x r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /etc/machine-id r, /etc/pipewire/client.conf.d/ r, /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/applications/{**,} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{PROC}/@{pids}/cgroup r, @{PROC}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index c5075fb3..611f2e2b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,13 +9,28 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include - include + include + include + include + include include include include include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -28,7 +43,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 27fb6a9e..fd660d09 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,9 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include - include + include + include + include include include include @@ -18,6 +20,26 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -30,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, owner @{PROC}/@{uid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 7c0c975d..ca2b2c3a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,6 +12,8 @@ profile xdg-document-portal @{exec_path} { ptrace (read) peer=xdg-desktop-portal, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), + @{exec_path} mr, /{usr/,}bin/flatpak rCx -> flatpak, @@ -57,6 +59,8 @@ profile xdg-document-portal @{exec_path} { capability sys_admin, capability dac_read_search, + unix (send receive) type=stream peer=(label=xdg-document-portal), + # network inet stream, # network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 1fb0f326..bbc1eee6 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,24 +15,39 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cut rix, /{usr/,}bin/file rix, + /{usr/,}bin/head rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sed rix, /{usr/,}bin/tr rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/gio rPx, /{usr/,}bin/mimetype rPx, /{usr/,}bin/xprop rPx, /usr/share/terminfo/x/xterm-256color r, + /usr/share/ubuntu/applications/ r, + + /etc/gnome/defaults.list r, + + owner @{HOME}/.Xauthority r, + owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{run}/user/@{uid}/ r, + + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, + + /dev/dri/card[0-9]* rw, + /dev/tty rw, # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -44,26 +60,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { deny /{usr/,}bin/dbus-launch rx, deny /{usr/,}bin/dbus-send rx, - owner @{user_config_dirs}/mimeapps.list{,.new} rw, - - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{HOME}/.Xauthority r, - - owner @{run}/user/@{uid}/ r, - - # For shell pwd - owner @{HOME}/ r, - - @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, - - # file_inherit - @{MOUNTS}/** rw, - /dev/dri/card[0-9]* rw, - - /dev/tty rw, - profile dbus { include include @@ -72,10 +68,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-send mr, /{usr/,}bin/dbus-daemon rPx, - # for dbus-launch + @{HOME}/.Xauthority r, owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, - @{HOME}/.Xauthority r, } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index d8dce5fd..a7113a76 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, @@ -17,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, + owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 8eb6c1f1..c2ea3fc3 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -35,11 +35,14 @@ profile xdg-settings @{exec_path} { /usr/share/terminfo/x/xterm-256color r, /usr/share/applications/ r, + /usr/share/ubuntu/applications/ r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/applications/{,*} r, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update new file mode 100644 index 00000000..04af0cba --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update +profile xdg-user-dirs-gtk-update @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.locale r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 0095e3b3..5143346a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -11,6 +11,10 @@ include profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + unix (send,receive) type=stream addr=none peer=(label=xwayland), + @{exec_path} mr, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index cfd45274..090e2ee8 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -10,9 +10,10 @@ include @{exec_path} = /{usr/,}bin/X @{exec_path} += /{usr/,}bin/Xorg @{exec_path} += /{usr/,}lib/Xorg{,.wrap} -@{exec_path} += /{usr/,}lib/xorg/Xorg +@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -40,6 +41,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} + interface=org.freedesktop.{DBus.Properties,login1.Session} + member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.login1.Session + member=PauseDevice, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 4db26964..066d8a7c 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/xrdb profile xrdb @{exec_path} { include + include @{exec_path} mr, @@ -17,9 +18,8 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /usr/include/stdc-predef.h r, - owner @{HOME}/.Xauthority r, + /usr/include/stdc-predef.h r, /etc/X11/Xresources/x11-common r, @@ -33,8 +33,6 @@ profile xrdb @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e535c2df..eae9f065 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -19,6 +19,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, + unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 75206db5..57972147 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,7 +9,10 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include - include + include + include + include + include include include include @@ -20,6 +23,22 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, @@ -28,9 +47,6 @@ profile evolution-addressbook-factory @{exec_path} { owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index e1e49b08..a1b4dca7 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include + include + include include include include @@ -23,8 +24,5 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 6a60f3c1..ef99ad71 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,7 +9,10 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include - include + include + include + include + include include include include @@ -20,6 +23,14 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + @{exec_path} mr, @{exec_path}-subprocess rix, @@ -30,9 +41,6 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index b40e3ed9..0280ccf3 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,10 +9,11 @@ include @{exec_path} = @{libexec}/evolution-source-registry profile evolution-source-registry @{exec_path} { include - include + include + include include - include include + include network inet stream, network inet6 stream, @@ -29,9 +30,6 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3532b32c..776e10df 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -9,8 +9,10 @@ include @{exec_path} = /{usr/,}{s,}bin/gdm{3,} profile gdm @{exec_path} flags=(attach_disconnected) { include - include + include + include include + include capability chown, capability fsetid, @@ -24,15 +26,46 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.{DBus.Properties,Accounts.User} + member={Changed,GetAll,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.{DBus.Properties,Accounts} + member={GetAll,ListCachedUsers,FindUserByName}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login1.Manager + member={ListSeats,ActivateSessionOnSeat,UnlockSession}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/gnome/DisplayManager/Manager + interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + + dbus bind bus=system + name=org.gnome.DisplayManager, + @{exec_path} mr, - /{usr/,}bin/plymouth rPx, - /{usr/,}lib/gdm-session-worker rPx, - + /{usr/,}{s,}prime-switch rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/plymouth rPx, + /etc/gdm{3,}/PrimeOff/Default rix, + @{libexec}/gdm-session-worker rPx, + /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/locale.conf r, @@ -44,12 +77,12 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/gdm{3,}/gdm.pid rw, @{run}/gdm{3,}/greeter/ rw, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/[0-9]* r, - @{run}/systemd/sessions/[0-9]*.ref r, - @{run}/systemd/userdb/ r, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref r, @{run}/systemd/users/@{uid} r, @{run}/udev/tags/master-of-seat/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index e9821c97..eb15b149 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -12,7 +12,7 @@ profile gdm-runtime-config @{exec_path} { @{exec_path} mr, - @{run}/gdm/ r, + @{run}/gdm/ rw, @{run}/gdm/custom.conf* rw, include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d7e91d94..548b699f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -10,6 +10,8 @@ include profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include + include + include include capability audit_write, @@ -39,12 +41,24 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} + member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession}, + @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, @{libexec}/gdm-wayland-session rPx, @{libexec}/gdm-x-session rPx, /etc/gdm{3,}/{Pre,Post}Session/Default rix, + /etc/gdm{3,}/PrimeOff/Default rix, + + /usr/share/gdm/gdm.schemas r, + /usr/share/wayland-sessions/*.desktop r, /etc/default/locale r, /etc/environment r, @@ -56,21 +70,20 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/security/limits.d/{,*.conf} r, /etc/shells r, - /usr/share/gdm/gdm.schemas r, - /usr/share/wayland-sessions/*.desktop r, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index d906f01e..1805b763 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,7 +11,8 @@ profile gdm-wayland-session @{exec_path} { include include include - include + include + include include include @@ -20,20 +21,25 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, - @{exec_path} mr, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay, - # It can run hooks, how to handle them nicely? rCx? them mostly include if exist + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/head rix, /{usr/,}bin/locale rix, /{usr/,}bin/locale-check rix, + /{usr/,}bin/qmake rix, /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, - /{usr/,}bin/gettext rix, /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-daemon rPx, @@ -42,20 +48,20 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/flatpak rPUx, @{libexec}/gnome-session-binary rPx, + /{usr/,}bin/gettext.sh r, /usr/share/im-config/{,**} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, /etc/machine-id r, /etc/shells r, + /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, /usr/share/gdm/gdm.schemas r, /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/gdm/custom.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 5992fe6f..dfddfb6c 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gdm-x-session profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, @@ -20,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/Xorg rPx, /{usr/,}bin/dbus-run-session rPx, - /etc/gdm/Xsession rPx, + /etc/gdm{3,}/Xsession rPx, + /etc/gdm{3,}/Prime/Default rix, - /etc/gdm/custom.conf r, + /etc/gdm{3,}/custom.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 02e9834f..5f3e7745 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,7 +11,7 @@ profile gdm-xsession @{exec_path} { include include include - include + include include @{exec_path} mr, @@ -34,9 +34,6 @@ profile gdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7af35a3d..a77327c0 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -9,7 +9,8 @@ include @{exec_path} = /{usr/,}bin/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include @@ -45,8 +46,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 00a762b6..d3a16fcf 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,9 +9,10 @@ include @{exec_path} = @{libexec}/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include - include - include + include + include include + include signal (send) set=kill peer=unconfined, @@ -22,9 +23,8 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 0490d755..f242da61 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-calendar profile gnome-calendar @{exec_path} { include - include + include include include include @@ -23,14 +23,11 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, - /usr/share/libgweather/Locations.xml r, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/libgweather/Locations.xml r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice new file mode 100644 index 00000000..ed4bc812 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService +profile gnome-characters-backgroudservice @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/gjs-console rix, + + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fd682a6b..0ddcf07b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,11 +9,12 @@ include @{exec_path} = /{usr/,}bin/gnome-contacts profile gnome-contacts @{exec_path} { include - include + include include include include include + include include include include @@ -28,14 +29,8 @@ profile gnome-contacts @{exec_path} { /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index a926614e..cb8a473a 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include - include + include include include @@ -22,9 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} { owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 5822b9c4..c6c3ef91 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,7 +10,9 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include include include include @@ -34,27 +36,37 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/bash rUx, - /{usr/,}bin/bwrap rPUx, - /{usr/,}bin/gcm-viewer rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/openvpn rPx, - /{usr/,}bin/passwd rPx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + + /{usr/,}bin/gcm-viewer rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/sed rix, + @{libexec}/gnome-control-center-goa-helper rPx, @{libexec}/gnome-control-center-print-renderer rPx, + /{usr/,}bin/bwrap rPUx, + /{usr/,}bin/openvpn rPx, + /{usr/,}bin/passwd rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + /usr/share/language-tools/language2locale rix, - /usr/share/backgrounds/gnome/* r, + /snap/*/[0-9]*/**.png r, + /usr/share/backgrounds/{,**} r, + /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, - /usr/share/gnome-bluetooth/{,**} r, + /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, + /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, + /usr/share/ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -65,26 +77,33 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/icons/ r, + + /var/cache/samba/ rw, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, + @{run}/cups/cups.sock rw, + @{run}/samba/ rw, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/[0-9]* r, @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @@ -111,6 +130,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, @@ -123,4 +143,4 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /dev/video[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper new file mode 100644 index 00000000..4f68eb92 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper +profile gnome-control-center-goa-helper @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/bwrap rPUx, + + /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /var/lib/flatpak/exports/share/icons/{,**} r, + + owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + + owner @{user_share_dirs}/webkitgtk/{,**} rw, + owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, + + owner @{run}/user/@{uid}/webkitgtk/{,**} rw, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/zoneinfo r, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 4da0a80b..43324261 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include + include + include include include include @@ -31,11 +32,12 @@ profile gnome-control-center-print-renderer @{exec_path} { /var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/snapd/desktop/icons/{,**} r, + owner @{user_share_dirs}/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 692de63e..c99e15d4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,19 +9,22 @@ include @{exec_path} = @{libexec}/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include - include + include + include + include include include - include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/xkb/{,**} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + + /etc/gnome/defaults.list r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index cccd460e..853c4a1c 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include + include include include include @@ -21,12 +21,9 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mountinfo r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index a1b86d6e..204e198d 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disks profile gnome-disks @{exec_path} { include - include + include include @{exec_path} mr, @@ -17,9 +17,6 @@ profile gnome-disks @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 88bcdf23..07a34d14 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,22 +9,47 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include - include - include + include + include + include include + include + include + + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ListNames,ListActivatableNames}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mr, - /{usr/,}bin/env rix, - /{usr/,}bin/gjs-console rix, - /{usr/,}bin/nautilus rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, + /{usr/,}bin/gjs-console rix, + /{usr/,}bin/gnome-control-center rPx, + /{usr/,}bin/nautilus rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, - /usr/share/themes/{,**} r, - /usr/share/thumbnailers/*.thumbnailer r, + /usr/share/thumbnailers/{,*.thumbnailer} r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/{,**} r, + /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, @@ -35,10 +60,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 1a63d501..d4f5d0bc 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -13,7 +13,7 @@ profile gnome-extensions-app @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gjs-console rPx, + /{usr/,}bin/gjs-console rix, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 361f0186..85b6e24b 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,8 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include capability ipc_lock, @@ -17,6 +19,20 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=GetSession + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/ssh-add rix, @@ -32,6 +48,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, + @{run}/user/@{uid}/keyring/control r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2d291652..19c42c25 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,7 +10,7 @@ include profile gnome-music @{exec_path} { include include - include + include include include include @@ -31,6 +31,7 @@ profile gnome-music @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* rix, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -38,8 +39,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, + owner @{user_music_dirs}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, @@ -48,8 +48,6 @@ profile gnome-music @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index c58fc245..5a4f9796 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -15,8 +15,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon new file mode 100644 index 00000000..fb3abe8d --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/gnome-remote-desktop-daemon +profile gnome-remote-desktop-daemon @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 94e54cfc..6362ac80 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,12 +9,15 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include + include + include + include include include include include include + include network inet stream, network inet6 stream, @@ -22,8 +25,29 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=at-spi-bus-launcher, + signal (send) set=(term) peer=gsd-*, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanPowerOff,GetSession,PowerOff,Inhibit}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=SetIdleHint, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved}, @{exec_path} mr, @@ -43,17 +67,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/aa-notify rPx, /{usr/,}bin/blueman-applet rPx, - /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/gnome-shell rPx, /{usr/,}bin/im-launch rPx, /{usr/,}bin/pkcs11-register rPx, /{usr/,}bin/snap rPUx, + /{usr/,}bin/spice-vdagent rPx, /{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/ubuntu-report rPx, /{usr/,}bin/update-notifier rPx, /{usr/,}bin/xbrlapi rPx, + /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @@ -97,20 +122,17 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, + owner @{user_share_dirs}/session_migration-ubuntu r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, + owner @{run}/user/@{uid}/systemd/notify w, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]* r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, - /tmp/.ICE-unix/[0-9]* rw, - @{sys}/devices/**/{vendor,device} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6a059dc8..978e949d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,11 +11,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include + include + include + include + include include include include include + include include include include @@ -23,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, capability sys_ptrace, @@ -37,7 +42,79 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), + + unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + unix (send,receive) type=stream addr=none peer=(label=xkbcomp), + unix (send,receive) type=stream addr=none peer=(label=xwayland), + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,login[0-9].*}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority} + member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} + member={GetAll,FindUserByName,Changed,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} + member={PropertiesChanged,AddAgent,GetAll}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}, + + dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice, + + dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} + interface=org.freedesktop.NetworkManager{,.AgentManager} + member={Unregister,RegisterWithCapabilities,GetPermissions}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system + path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + member=BeginAuthentication, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, @@ -47,6 +124,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, /opt/*/**/*.png r, + /snap/*/@{uid}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, @@ -64,13 +142,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - /usr/share/xsessions/{,*.desktop} r, /.flatpak-info r, /etc/fstab r, - /etc/machine-id r, /etc/xdg/menus/gnome-applications.menu r, - /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, @@ -95,13 +170,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + + owner @{user_music_dirs}/**/*.jpg r, owner @{user_config_dirs}/.goutputstream{,*} rw, - owner @{user_config_dirs}/ibus/ rw, - owner @{user_config_dirs}/ibus/bus/ rw, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_share_dirs}/backgrounds/{,**} rw, @@ -118,13 +192,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, @@ -133,12 +205,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner /tmp/.X[0-9]-lock rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, - /tmp/.X11-unix/X[0-9] rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, @@ -169,7 +240,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, - @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 09287690..560fbeb9 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gnome-shell-calendar-server profile gnome-shell-calendar-server @{exec_path} { include - include + include + include include @{exec_path} mr, @@ -17,8 +18,7 @@ profile gnome-shell-calendar-server @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/zoneinfo-icu/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + /etc/timezone r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 6769ca2f..94abd03f 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{MOUNTS}/*/ r, owner @{MOUNTS}/**/ r, owner @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index f42c703e..a24ecee8 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,8 @@ include @{exec_path} = /{usr/,}bin/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include + include + include include include @@ -30,16 +31,18 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-system-monitor/{,**} r, /usr/share/pixmaps/{,**} r, + /usr/share/ubuntu/applications/{,**} r, /etc/machine-id r, + /var/lib/snapd/desktop/icons/ r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/doc/ rw, - @{run}/systemd/sessions/[0-9]*{,.ref} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r, @@ -50,10 +53,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @{PROC}/ r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/tcp{,6} r, @@ -65,4 +70,4 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/vmstat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 6b47c216..9054d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,7 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include + include include include include @@ -20,7 +20,11 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - /{usr/,}bin/{,z,ba,da}sh rUx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + + # Some CLI program can be launched directly from Gnome Shell + /{usr/,}bin/htop rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, @@ -32,8 +36,6 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 4ca8818b..cfe4e9d6 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -10,7 +10,7 @@ include profile gnome-tweaks @{exec_path} { include include - include + include include include include @@ -37,9 +37,6 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index fa65e3ce..602cee7a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,7 +9,10 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include - include + include + include + include + include include include include @@ -22,14 +25,20 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_config_dirs}/goa-1.0/accounts.conf r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{user_config_dirs}/goa-1.0/ rw, + owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, include if exists } diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 6a728d63..c7b98a84 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -10,6 +10,7 @@ include profile goa-identity-service @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 8be54615..b6a01c29 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -19,9 +20,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a6f7d510..3f14d3ea 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,13 +9,22 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include - include + include + include + include include + include include signal (receive) set=(term, hup) peer=gdm*, + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} + interface=org.freedesktop.ColorManager*, + + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*} + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -34,9 +43,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index e7d51d5b..119998b7 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -19,9 +20,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 0ff646db..28175182 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,15 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include + include + + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.{Properties,ObjectManager}, + + dbus send bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index d9ede44b..c1508ef7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,7 +10,8 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include + include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -27,9 +28,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index e683f0a8..a278f2b3 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,13 +9,19 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include - include + include + include + include include + include include signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -30,9 +36,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d6fbdbab..1af3f985 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,7 +10,9 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include include include include @@ -19,6 +21,34 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PowerOff, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -29,9 +59,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, @@ -42,9 +69,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index b4a6bd31..557146a9 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,7 +10,9 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include include include include @@ -19,6 +21,41 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.login[0-9].Session + member=SetBrightness, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -27,15 +64,12 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, @@ -58,8 +92,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/cgroup r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 0e0e011c..cf9a4654 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include + include include network inet stream, @@ -17,6 +19,25 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier, + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 487e827b..c4614b70 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,22 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,RequestName}, + + dbus bind bus=system + name=com.redhat.NewPrinterNotification, + + dbus bind bus=system + name=com.redhat.PrinterDriversInstaller, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index cca7f7a3..52d98363 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,11 +9,33 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, network netlink raw, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b6058e22..b0d8a552 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0f7fb325..2268b138 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,19 +9,39 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include + include + include + include + include signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9] + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]*} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index fca97800..c542accb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include + include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -20,9 +21,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 83a7520c..9d604545 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,7 +10,8 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include - include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -28,9 +29,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index f461d904..4ab3a39e 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -9,14 +9,11 @@ include @{exec_path} = @{libexec}/gsd-usb-protection profile gsd-usb-protection @{exec_path} { include - include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 8585d792..3bb701c7 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,7 +9,8 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include @@ -28,9 +29,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 9bf870d8..2192ebae 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,7 +9,9 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include + include + include + include include include include @@ -24,6 +26,18 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={SetInputSources,Changed,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=FindUserByName, + @{exec_path} mr, /{usr/,}bin/cat rix, @@ -48,13 +62,11 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - - owner @{run}/systemd/users/@{uid}/ r, - @{run}/systemd/sessions/[0-9]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 16a887a8..c612512d 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,12 +10,17 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include include include + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -24,8 +29,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/ubuntu/applications/{,**} r, - owner @{user_share_dirs}/nautilus/{,**} rwk, + /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data / r, @@ -42,11 +48,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{user_share_dirs}/nautilus/{,**} rwk, @{run}/mount/utab r, - @{run}/systemd/userdb/ r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index a9a36e9b..f7429593 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,32 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include - include + include + include + include include include include + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew} + peer=(name=org.freedesktop.Avahi), + + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /{usr/,}bin/gpgconf rPx, @@ -21,12 +42,11 @@ profile seahorse @{exec_path} { /{usr/,}bin/gpgsm rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Seahorse and SSH keys - owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, + /usr/share/ubuntu/applications/ r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + /var/lib/snapd/desktop/icons/ r, + + owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 070db186..f3fa89e5 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,13 +9,14 @@ include @{exec_path} = @{libexec}/tracker-extract-3 profile tracker-extract @{exec_path} { include - include + include include include include include include include + include network netlink raw, @@ -38,18 +39,19 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/snapd/desktop/applications/*.desktop r, + # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - + + owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/udev/data/c235:* r, @@ -61,6 +63,7 @@ profile tracker-extract @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + /dev/dri/card[0-9]* rw, /dev/dri/renderD128 rw, /dev/media[0-9]* r, /dev/video[0-9]* rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 921f8b5c..ce6051e1 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,20 +9,25 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include - include # TODO: FIXME: See if we keep them like this. - include + include + include + include include + include include include include + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, - /usr/share/applications/{,mimeinfo.cache,*.list} r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/mime/mime.cache r, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, /usr/share/ubuntu/applications/ r, @@ -40,11 +45,9 @@ profile tracker-miner @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner @{user_share_dirs}/{applications/,mime/mime.cache} r, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, @@ -52,8 +55,6 @@ profile tracker-miner @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 95e9296b..bd53411b 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -29,11 +29,11 @@ profile dirmngr @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40bfaea5..e7b4d13f 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -30,8 +30,8 @@ profile gpg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/ rw, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, @@ -77,7 +77,7 @@ profile gpg @{exec_path} { # Verify files owner @{HOME}/** r, - owner @{MOUNTS}/*/** r, + owner @{MOUNTS}/** r, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 38ba5378..4bf35cbd 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -29,19 +29,19 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, + owner @{user_projects_dirs}/**/{.,}gnupg/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index d943273b..e5ba0a3b 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -24,7 +24,7 @@ profile gpgconf @{exec_path} { /{usr/,}bin/pinentry-* rPx, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 78a371d4..9792071b 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -16,7 +16,7 @@ profile gpgsm @{exec_path} { deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 5373623e..1baa4eda 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-afc-volume-monitor profile gvfs-afc-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1eaa0116..d55fa7de 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-goa-volume-monitor profile gvfs-goa-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 88864385..b5844365 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor profile gvfs-gphoto2-volume-monitor @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 94978f25..1163dd54 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-mtp-volume-monitor profile gvfs-mtp-volume-monitor @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index c18b5fc4..19f28dcb 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,7 +11,9 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include - include + include + include + include include include include @@ -25,6 +27,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus.*,UDisks2.*} + peer=(label=udisksd), + @{exec_path} mr, /{usr/,}bin/lsof rix, @@ -42,20 +48,17 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{MOUNTS}/**/ r, owner @{HOME}/**/ r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/[0-9]* r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/* r, + @{PROC}/@{pids}/net/* r, @{PROC}/ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index ed9b3aa2..6694eafb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -20,7 +20,7 @@ profile gvfsd-archive @{exec_path} { owner @{HOME}/**.{tar,tar.gz,zip} r, owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 6238d434..8b46a207 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-dav profile gvfsd-dav @{exec_path} { include - include + include include include include @@ -28,8 +28,6 @@ profile gvfsd-dav @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 2e9861c1..0c83581b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,11 +11,26 @@ include @{exec_path} += @{libexec}/gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index a700e838..8fca7c25 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include + include include include @@ -25,8 +25,5 @@ profile gvfsd-ftp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 62248a59..eff61925 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,38 +11,41 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include + + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), + + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, - @{PROC}/sys/fs/pipe-max-size r, - profile fusermount { include include - # To mount anything: - capability sys_admin, - capability dac_read_search, + capability sys_admin, # To mount anything - /{usr/,}bin/fusermount{,3} mr, + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, + /{usr/,}bin/fusermount{,3} mr, + /etc/fuse.conf r, /etc/machine-id r, - /dev/fuse rw, - @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + } include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index bc61b9de..dfdbdd96 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-http profile gvfsd-http @{exec_path} { include - include + include include include include @@ -27,8 +27,6 @@ profile gvfsd-http @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 3a0e7d74..fb46ee85 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d5483993..2d09516a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include + include include include include @@ -24,10 +24,8 @@ profile gvfsd-mtp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index df617a47..5b6c9ab7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,14 +11,13 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include - include + include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index a245dcfe..35d08324 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -19,7 +19,7 @@ profile gvfsd-recent @{exec_path} { # Full access to user's data owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, owner @{user_config_dirs}/user-dirs.dirs r, @@ -31,7 +31,6 @@ profile gvfsd-recent @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, - @{run}/systemd/userdb/ r, @{run}/mount/utab r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 989a9ad2..10fd9199 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb profile gvfsd-smb @{exec_path} { include - include + include include network netlink raw, @@ -26,8 +26,6 @@ profile gvfsd-smb @{exec_path} { /etc/samba/smb.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 6ec204d0..d9488b3d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,8 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include - include + include + include include network netlink raw, @@ -27,8 +28,6 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, owner @{run}/samba/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 196a07e8..7b2913f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include @@ -23,7 +24,7 @@ profile gvfsd-trash @{exec_path} { # Can restore all user files owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager new file mode 100644 index 00000000..0919ba88 --- /dev/null +++ b/apparmor.d/groups/network/ModemManager @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{,s}bin/ModemManager +profile ModemManager @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved}, + + dbus bind bus=system + name=org.freedesktop.ModemManager[0-9], + + @{exec_path} mr, + + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/n[0-9]* r, + + @{run}/systemd/inhibit/*.ref rw, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/net/ r, + @{sys}/class/tty/ r, + @{sys}/class/wwan/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,revision} r, + @{sys}/devices/virtual/net/*/ r, + @{sys}/devices/virtual/tty/*/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f6102481..c612f740 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}{,s}bin/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include + include + include include include include @@ -33,6 +35,54 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,CheckAuthorization,CancelCheckAuthorization}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded, + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager + member={SetLink*,ResolveHostname}, + # org.freedesktop.resolve1 + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus bind bus=system + name=org.freedesktop.NetworkManager, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -47,7 +97,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/nm-openvpn-service rPx, /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, - /dev/rfkill rw, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, / r, /etc/ r, @@ -86,5 +136,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, + /dev/rfkill rw, + include if exists } diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon new file mode 100644 index 00000000..4f7fe0cc --- /dev/null +++ b/apparmor.d/groups/network/mullvad-daemon @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" +profile mullvad-daemon @{exec_path} { + include + include + + capability dac_override, + capability net_admin, + capability net_raw, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network netlink dgram, + + mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + + @{exec_path} mr, + + "/opt/Mullvad VPN/resources/*" r, + + /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/*.json rw, + /etc/resolv.conf rw, + /etc/resolv.conf.mullvadbackup rw, + + /var/cache/mullvad-vpn/{,*} rw, + /var/log/mullvad-vpn/{,*} rw, + + @{run}/mullvad-vpn rw, + @{run}/NetworkManager/resolv.conf r, + + @{sys}/fs/cgroup/net_cls/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui new file mode 100644 index 00000000..a602dbfe --- /dev/null +++ b/apparmor.d/groups/network/mullvad-gui @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" +profile mullvad-gui @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + capability sys_chroot, + capability sys_ptrace, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mrix, + + "/opt/Mullvad VPN/*.so*" rm, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gsettings rix, + /{usr/,}bin/xdg-open rPx, + + "/opt/Mullvad VPN/{,**}" r, + /usr/share/themes/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/libva.conf r, + /var/lib/dbus/machine-id r, + + owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, + + owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, + + @{PROC}/ r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{uid}/cmdline r, + owner @{PROC}/@{uid}/fd/ r, + owner @{PROC}/@{uid}/cgroup r, + owner @{PROC}/@{uid}/gid_map w, + owner @{PROC}/@{uid}/oom_score_adj w, + owner @{PROC}/@{uid}/setgroups w, + owner @{PROC}/@{uid}/stat r, + owner @{PROC}/@{uid}/statm r, + owner @{PROC}/@{uid}/task/ r, + owner @{PROC}/@{uid}/task/@{tid}/status r, + owner @{PROC}/@{uid}/uid_map w, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher new file mode 100644 index 00000000..ed8fe89c --- /dev/null +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/networkd-dispatcher +profile networkd-dispatcher @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/ r, + /{usr/,}bin/networkctl rPx, + + @{run}/systemd/notify rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 8945157e..11dfdf16 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -7,14 +7,32 @@ abi , include @{exec_path} = /{usr/,}lib/nm-dispatcher +@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher profile nm-dispatcher @{exec_path} { include + include capability sys_nice, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName}, + + dbus receive bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher, + + dbus bind bus=system + name=org.freedesktop.nm_dispatcher, + @{exec_path} mr, - /etc/NetworkManager/dispatcher.d/{,**} r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/run-parts rPx, + + /etc/NetworkManager/dispatcher.d/ r, + /etc/NetworkManager/dispatcher.d/** rix, + + @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 5c799a41..3676d643 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -24,7 +24,6 @@ profile nm-openvpn-service @{exec_path} { /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, /{usr/,}bin/kmod rPx, - @{run}/systemd/userdb/ r, @{run}/NetworkManager/nm-openvpn-@{uuid} rw, /dev/net/tun rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 9f7d73f9..36bf1d12 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -15,6 +15,7 @@ profile tailscaled @{exec_path} { capability dac_read_search, capability mknod, capability net_admin, + capability net_raw, capability sys_ptrace, network inet dgram, @@ -30,10 +31,14 @@ profile tailscaled @{exec_path} { /{usr/,}bin/ip rix, /{usr/,}{s,}bin/xtables-nft-multi rix, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/iproute2/rt_tables r, + /etc/resolv.*.conf rw, + /etc/resolv.conf rw, + /etc/resolv.conf.*.tmp rw, + owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, @@ -54,5 +59,21 @@ profile tailscaled @{exec_path} { /dev/net/tun rw, + profile systemctl { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /dev/net/tun rw, + + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg new file mode 100644 index 00000000..6f4bf4ea --- /dev/null +++ b/apparmor.d/groups/network/wg @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/wg +profile wg @{exec_path} { + include + + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick new file mode 100644 index 00000000..06ccb7d6 --- /dev/null +++ b/apparmor.d/groups/network/wg-quick @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/wg-quick +profile wg-quick @{exec_path} { + include + + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}{s,}bin/nft rix, + /{usr/,}{s,}bin/sysctl rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/ip rPx, + /{usr/,}bin/readlink rix, + /{usr/,}bin/resolvectl rPx, + /{usr/,}bin/sort rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/wg rPx, + /{usr/,}bin/xtables-nft-multi rix, + + /usr/share/terminfo/x/xterm-256color r, + + /etc/iproute2/group r, + /etc/iproute2/rt_realms r, + /etc/resolvconf/interface-order r, + /etc/wireguard/*.conf r, + + @{sys}/module/wireguard r, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + /dev/tty rw, + + # Force the use as root + deny /{usr/,}bin/sudo x, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 644d7408..050fdd2c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -70,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/vconsole.conf r, /usr/share/kbd/keymaps/{,**} r, + /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0f1352db..81ba8b56 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -21,6 +21,7 @@ profile pacman @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability kill, capability mknod, capability net_admin, capability setfcap, @@ -83,6 +84,7 @@ profile pacman @{exec_path} { /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/groupadd rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, + /{usr/,}bin/install-catalog rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, /{usr/,}bin/locale-gen rPx, @@ -124,7 +126,9 @@ profile pacman @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9f9f7459..69d17130 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -43,11 +43,14 @@ profile pacman-key @{exec_path} { profile gpg { include + include + include capability dac_read_search, capability mknod, /{usr/,}bin/gpg mr, + /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg-agent rix, /usr/share/pacman/keyrings/{,*} r, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3cd08f48..82c31bb8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -9,8 +9,13 @@ include @{exec_path} = /{usr/,}lib/openssh/sftp-server profile sftp-server @{exec_path} { include + include + include + + capability dac_read_search, + capability dac_override, @{exec_path} mr, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 76eeedf8..4788e190 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -30,8 +30,8 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, + owner @{user_projects_dirs}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/config r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 0b9db0ff..e5e75be7 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -29,7 +29,7 @@ profile ssh-agent @{exec_path} { # SSH keys owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/ssh/{,*} r, # When started via systemd @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4dbb5786..ff37f0ca 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -19,6 +19,7 @@ include profile sshd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -29,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, capability dac_read_search, + capability fowner, capability kill, capability net_bind_service, capability setgid, @@ -43,11 +45,22 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=unconfined, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mrix, + /{usr/,}{s,}bin/nologin rPx, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}{s,}bin/nologin rPx, /{usr/,}bin/false rix, /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, @@ -55,15 +68,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/environment r, /etc/gss/mech.d/{,*} r, - /etc/security/limits.d/ r, + /etc/issue.net r, /etc/motd r, + /etc/security/limits.d/{,*.conf} r, /etc/ssh/ssh_host_* r, /etc/ssh/sshd_config r, /etc/ssh/sshd_config.d/{,*} r, # For scp - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, + owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, @@ -72,11 +86,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, - @{run}/systemd/sessions/[0-9]*.ref rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, + @{run}/faillock/[a-zA-z0-9]* rwk, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, @@ -87,11 +102,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/cmdline r, @{PROC}/filesystems r, @{PROC}/sys/kernel/ngroups_max r, /dev/ptmx rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 1da11fc0..f754f9fa 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -24,12 +24,14 @@ profile bootctl @{exec_path} { /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, - /{boot,efi}/loader/{,**} r, /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, /{boot,efi}/EFI/systemd/systemd-boot*.efi w, /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/.#entries.srel* w, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/random-seed w, /etc/machine-id r, @@ -37,15 +39,20 @@ profile bootctl @{exec_path} { @{run}/host/container-manager r, + @{sys}//class/tpmrm/ r, + @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 6919dd66..338f4f98 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -16,6 +16,7 @@ include profile child-systemctl flags=(attach_disconnected) { include include + include include capability net_admin, @@ -26,6 +27,10 @@ profile child-systemctl flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member=GetUnitFileState, + /{usr/,}bin/systemctl mr, /etc/systemd/user/{,**} rwl, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 43d1890e..1768c1af 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,24 +27,23 @@ profile journalctl @{exec_path} { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - - @{run}/host/container-manager r, - - # For --setup-keys and --verify - owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, - owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, - owner /var/tmp/#[0-9]* rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/[0-9a-f]*/ r, + /{run,var}/log/journal/[0-9a-f]*/system.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, + owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, + owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, + owner /var/tmp/#[0-9]* rw, + + @{run}/host/container-manager r, + @{run}/systemd/journal/io.systemd.journal rw, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5fbe2c74..698fd2f3 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -10,13 +10,13 @@ include @{exec_path} = /{usr/,}bin/networkctl profile networkctl @{exec_path} flags=(complain) { include + include - # To be able to manage network interfaces, capability net_admin, # Needed? (#FIXME#) - audit deny capability sys_resource, - audit deny capability sys_module, + audit capability sys_resource, + audit capability sys_module, signal send peer=child-pager, @@ -24,6 +24,11 @@ profile networkctl @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/network[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.network[0-9]), + @{exec_path} mr, /{usr/,}bin/pager rPx -> child-pager, @@ -49,6 +54,7 @@ profile networkctl @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, + @{PROC}/filesystems r, @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index a070b1e8..271a3eb3 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -28,38 +28,35 @@ profile systemd-analyze @{exec_path} { /{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/man rPx, + /usr/ r, + /{usr/,}lib/systemd/** r, + + /etc/default/locale r, + /etc/locale.conf r, + /etc/systemd/** r, + + owner /tmp/systemd-temporary-*/ rw, + + @{run}/systemd/system/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/firmware/acpi/tables/FPDT r, + @{sys}/fs/cgroup/{,**} r, + @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, + @{sys}/fs/cgroup/unified/**/init.scope/ rw, + @{sys}/module/**/uevent r, + + @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/comm r, @{PROC}/swaps r, - # For systemd-analyze cat-config - /etc/systemd/** r, - /{usr/,}lib/systemd/** r, - - @{sys}/fs/cgroup/{,**} r, - @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, - @{sys}/fs/cgroup/unified/**/init.scope/ rw, - @{sys}/firmware/acpi/tables/FPDT r, - - @{sys}/module/**/uevent r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, - - @{run}/udev/tags/systemd/ r, - @{run}/systemd/system/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - owner /tmp/systemd-temporary-*/ rw, - - /usr/ r, - - /etc/default/locale r, - /etc/locale.conf r, - - @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, - /dev/tty rw, /dev/pts/1 rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index c095b7e1..b37d8f5d 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -22,6 +22,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_ptrace, + mount -> /, + @{exec_path} mr, /{usr/,}bin/* r, @@ -30,8 +32,6 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { /opt/** r, / r, - mount -> /, - /etc/systemd/coredump.conf r, /var/lib/systemd/coredump/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4fbf1b5e..8cc0dc4f 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,14 +10,29 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include + include include - # To set a hostname - capability sys_admin, + capability sys_admin, # To set a hostname + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName}, + + dbus receive bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus bind bus=system + name=org.freedesktop.hostname[0-9], @{exec_path} mr, + @{run}/systemd/notify rw, + @{run}/udev/data/+dmi:id r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, @@ -25,7 +40,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, - @{run}/udev/data/+dmi:id r, @{sys}/firmware/dmi/entries/*/raw r, /etc/.#hostname* rw, @@ -34,4 +48,5 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+dmi:id r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 3f72381f..26efae51 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -47,13 +47,16 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+sdio:* r, @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, + @{run}/udev/data/c1:[0-9]* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c4:[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c3a3e304..c2a6be9e 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,20 +15,33 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include # Needed? - audit deny capability net_admin, + audit capability net_admin, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.locale[0-9], @{exec_path} mr, - /etc/default/keyboard r, - - /etc/default/locale rw, - /etc/default/.#locale* rw, - /etc/locale.conf r, - /etc/vconsole.conf r, - /usr/share/systemd/language-fallback-map r, /usr/share/X11/xkb/rules/evdev r, + /etc/default/.#locale* rw, + /etc/default/keyboard r, + /etc/default/locale rw, + /etc/locale.conf r, + /etc/vconsole.conf r, /etc/X11/xorg.conf.d/*.conf r, + @{run}/systemd/notify rw, + + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 55a79fc0..3afc0562 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,8 +11,9 @@ include profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include include - include include + include + include include capability chown, @@ -23,20 +25,54 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** + interface=org.freedesktop.DBus.Properties + member={Get,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** + interface=org.freedesktop.systemd[0-9].Scope + member=Abandon, + + dbus receive bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus bind bus=system + name=org.freedesktop.login[0-9], + @{exec_path} mr, /etc/machine-id r, - /etc/nsswitch.conf r, - /etc/passwd r, /etc/systemd/logind.conf r, /etc/systemd/sleep.conf r, + /swapfile r, /boot/{,**} r, /var/lib/systemd/linger/ r, + @{run}/.#nologin* rw, @{run}/host/container-manager r, - + @{run}/nologin rw, @{run}/utmp rk, @{run}/udev/tags/master-of-seat/ r, @@ -51,7 +87,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c29:[0-9]* r, @@ -61,20 +99,19 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/.#* rw, - @{run}/systemd/sessions/[0-9]*{,.ref} rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/sessions/{,*} rw, + @{run}/systemd/sessions/*.ref rw, + @{run}/systemd/shutdown/.#scheduled* rw, + @{run}/systemd/shutdown/scheduled rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, - @{sys}/class/drm/ r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, @@ -101,7 +138,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /dev/dri/card[0-9]* rw, /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/nvme* r, /dev/shm/{,**/} rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a8290f4a..86a0d4f7 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -9,6 +9,9 @@ include @{exec_path} = /{usr/,}bin/systemd-machine-id-setup profile systemd-machine-id-setup @{exec_path} { include + include + + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 01962a1d..2144f299 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-makefs profile systemd-makefs @{exec_path} { include + include + include capability net_admin, capability sys_resource, @@ -18,10 +20,5 @@ profile systemd-makefs @{exec_path} { /{usr/,}{s,}bin/mkswap rPx, /{usr/,}bin/mkfs.* rPx, - @{sys}/devices/virtual/block/zram[0-9]*/ r, - @{sys}/devices/virtual/block/zram[0-9]*/** r, - - /dev/zram[0-9]* rwk, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 8aaa47e1..51c95970 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,6 +15,14 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus bind bus=system + name=org.freedesktop.oom[0-9], + @{exec_path} mr, /etc/systemd/oomd.conf r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve new file mode 100644 index 00000000..2974f5f3 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/resolvectl +@{exec_path} += /{usr/,}bin/systemd-resolve +profile systemd-resolve @{exec_path} { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 13a5dc58..c410568f 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -11,6 +11,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -28,6 +29,17 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager, + + dbus bind bus=system + name=org.freedesktop.resolve[0-9], + @{exec_path} mr, /etc/systemd/resolved.conf r, @@ -39,6 +51,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 1e227632..ddd2c425 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,6 +15,21 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, + dbus (send,receive) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={AddMatch,ReleaseName,RequestName}, + + dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/timedate[0-1] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus bind bus=system + name=org.freedesktop.timedate[0-9], + @{exec_path} mr, /dev/rtc[0-9] r, @@ -27,5 +43,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, + @{run}/systemd/notify rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 1eb2b263..7dd0eb07 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -12,12 +12,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_time, network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, @@ -33,5 +34,19 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + # dbus-stricter + @{run}/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus bind + bus=system + name=org.freedesktop.timesync1, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 07f1a181..4356579f 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /usr/{,**} rw, /var/{,**} rwk, - @{run}/systemd/userdb/ r, @{sys}/devices/system/cpu/microcode/reload w, @{PROC}/@{pid}/net/unix r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 204a9b3e..58bebab9 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -11,12 +11,19 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include +# capability net_admin, + + signal (receive) set=(term cont) peer=logrotate, + @{exec_path} mr, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/ r, @{PROC}/@{pids}/stat r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/1/environ r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 0a6a24fc..54adc87e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -49,8 +49,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, - /{usr,/}lib/pm-utils/power.d/* rPUx, - /{usr,/}lib/snapd/snap-device-helper rPx, # TODO: but later + /{usr/,}lib/pm-utils/power.d/* rPUx, + /{usr/,}lib/snapd/snap-device-helper rPx, /{usr/,}lib/crda/* rPUx, /{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/systemd/systemd-* rPx, @@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, + @{PROC}/driver/nvidia/gpus/ r, /dev/ rw, /dev/** rwk, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 0c61f1eb..c5c263a1 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir profile systemd-user-runtime-dir @{exec_path} { include + include include include @@ -21,6 +22,11 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index a74fc276..585b841c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -10,18 +10,21 @@ include profile systemd-vconsole-setup @{exec_path} { include include + include include + capability dac_override, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @{exec_path} mr, - /{usr/,}bin/loadkeys rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/loadkeys rix, / r, - /usr/share/kbd/keymaps/{,**} r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 08411531..caaee986 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -18,12 +18,9 @@ profile userdbctl @{exec_path} { /{usr/,}bin/less rPx -> child-pager, - /etc/group r, /etc/shadow r, /etc/gshadow r, - @{run}/systemd/userdb/ r, - @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 56e0b48e..5eb039e4 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -9,8 +9,9 @@ include @{exec_path} = /usr/share/apport/apport-checkreports profile apport-checkreports @{exec_path} { include - include + include include + include @{exec_path} mr, @@ -21,6 +22,9 @@ profile apport-checkreports @{exec_path} { /usr/share/apport/ r, /etc/apt/apt.conf.d/{,**} r, + /etc/default/apport r, + + /var/crash/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk new file mode 100644 index 00000000..4cb03377 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -0,0 +1,105 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/apport/apport-gtk +profile apport-gtk @{exec_path} { + include + include + include + include + include + include + include + include + include + + capability sys_ptrace, + + @{exec_path} mr, + + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{f,}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/ldd rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}lib/@{multiarch}/ld*.so* rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/pkexec rPx, # TODO: rCx or something + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg-divert rPx, + /{usr/,}bin/gdb rCx -> gdb, + /{usr/,}bin/gsettings rPx, + /{usr/,}bin/journalctl rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/systemctl rPx -> child-systemctl, + + /usr/share/alsa/{,**} r, + /usr/share/apport/{,**} r, + /usr/share/apport/general-hooks/*.py r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /etc/apport/blacklist.d/apport r, + /etc/apport/blacklist.d/README.blacklist r, + /etc/apport/crashdb.conf r, + /etc/bash_completion.d/apport_completion r, + /etc/cron.daily/apport r, + /etc/default/apport r, + /etc/init.d/apport r, + /etc/logrotate.d/apport r, + /etc/xdg/autostart/*.desktop r, + + /var/crash/{,*.@{uid}.crash} r, + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.md5sums r, + /var/log/installer/media-info r, + + owner @{run}/user/@{uid}/wayland-[0-9] rw, + + /tmp/[a-z0-9]* rw, + /tmp/apport_core_* rw, + /tmp/launchpadlib.cache.[a-z0-9]*/ rw, + /tmp/tmp[a-z0-9]*/{,**} rw, + + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/modules r, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cgroup r, + + profile gdb { + include + include + include + + /{usr/,}bin/gdb mr, + + /{usr/,}bin/iconv rix, + /{usr/,}{s,}bin/* r, + + /usr/share/gdb/{,**} r, + + /etc/gdb/{,**} r, + + /tmp/apport_core_* r, + + @{PROC}/@{pids}/fd/ r, + + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook new file mode 100644 index 00000000..c9456448 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-hook +profile apt-esm-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /etc/machine-id r, + + /var/cache/apt/pkgcache.bin* rw, + /var/lib/ubuntu-advantage/messages/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook new file mode 100644 index 00000000..d44f5110 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook +profile apt-esm-json-hook @{exec_path} { + include + include + + unix (receive, send) type=stream peer=(label=apt), + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk new file mode 100644 index 00000000..de44a851 --- /dev/null +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk +profile check-new-release-gtk @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/update-manager/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /etc/update-manager/{,**} r, + + /var/lib/update-manager/{,**} rw, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + + owner @{run}/user/@{uid}/wayland-[0-9] rw, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan new file mode 100644 index 00000000..ee5e23ac --- /dev/null +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/network/if-up.d/ubuntu-fan +profile cron-ubuntu-fan @{exec_path} { + include + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/{,da,ba}sh rix, + /{usr/,}{s,}bin/fanctl rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/touch rix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade new file mode 100644 index 00000000..80ddfe97 --- /dev/null +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/do-release-upgrade +profile do-release-upgrade @{exec_path} { + include + include + include + include + include + include + + capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/*.csv r, + /usr/share/ubuntu-release-upgrader/{,**} r, + + /etc/machine-id r, + /etc/update-manager/{,**} r, + + /var/lib/update-manager/* rw, + /var/cache/apt/pkgcache.bin{,.*} rw, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status new file mode 100644 index 00000000..83cb07e3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/hwe-support-status +profile hwe-support-status @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages new file mode 100644 index 00000000..42d9589e --- /dev/null +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/list-oem-metapackages +profile list-oem-metapackages @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, + + /etc/machine-id r, + + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/filesystems r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 33965de6..2b6c6da5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,17 +9,20 @@ include @{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include + include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/{,**} r, - /usr/share/themes/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + @{run}/user/@{uid}/gdm/Xauthority r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required new file mode 100644 index 00000000..0ef30e5f --- /dev/null +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/update-notifier/notify-reboot-required +profile notify-reboot-required @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gettext rix, + + /usr/share/update-notifier/notify-reboot-required r, + + @{run}/reboot-required rw, + @{run}/reboot-required.pkgs rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index d307f0eb..5ad67ae7 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -11,10 +11,14 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_ptrace, capability syslog, ptrace (read), + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -22,6 +26,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/stat r, @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ba55b853..37de8341 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -10,15 +10,50 @@ include profile packagekitd @{exec_path} { include include + include include capability sys_nice, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.*,PackageKit}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved}, + + dbus bind bus=system + name=org.freedesktop.PackageKit, + @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/dpkg/tupletable r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd new file mode 100644 index 00000000..ae1a42b7 --- /dev/null +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd +profile release-upgrade-motd @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/date rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/do-release-upgrade rPx, + + /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus new file mode 100644 index 00000000..0bea79d9 --- /dev/null +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/software-properties/software-properties-dbus +profile software-properties-dbus @{exec_path} { + include + include + include + include + include + include + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, + + dbus bind bus=system + name=com.ubuntu.SoftwareProperties, + + @{exec_path} mr, + + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/env rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/python-apt/{,**} r, + /usr/share/distro-info/*.csv r, + /usr/share/xml/iso-codes/{,**} r, + + owner /tmp/[a-z0-9]* rw, + owner /tmp/tmp*/{,apt.conf} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk new file mode 100644 index 00000000..f5e7e6d9 --- /dev/null +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/software-properties-gtk +profile software-properties-gtk @{exec_path} { + include + include + include + include + include + include + include + + dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager} + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + @{exec_path} mr, + + /{usr/,}bin/ r, + + /{usr/,}bin/aplay rPx, + /{usr/,}bin/apt-key rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/ubuntu-advantage rPx, + + /usr/share/distro-info/*.csv r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/ r, + /usr/share/python-apt/{,**} r, + /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu-drivers-common/detect/{,**} r, + /usr/share/X11/xkb/{,**} r, + /usr/share/xml/iso-codes/{,**} r, + + /etc/gtk-3.0/settings.ini r, + /etc/machine-id r, + /etc/update-manager/release-upgrades r, + + /var/lib/snapd/desktop/icons/ r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + owner /tmp/[a-z0-9]* rw, + owner /tmp/tmp*/{,apt.conf} rw, + + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage new file mode 100644 index 00000000..204dc38c --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ubuntu-advantage +profile ubuntu-advantage @{exec_path} { + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /etc/ubuntu-advantage/uaclient.conf r, + + owner /tmp/tmp[0-9a-z]*/apt.conf r, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index c6e3f327..5096582a 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,17 +9,17 @@ include @{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include + include + include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - /usr/share/themes/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index a6b6447d..ed2afd88 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -10,15 +10,14 @@ include profile ubuntu-report @{exec_path} { include include + include @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, owner @{user_cache_dirs}/ubuntu-report/{,*} r, - @{run}/systemd/resolve/stub-resolv.conf r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager new file mode 100644 index 00000000..32f2e4f2 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-manager @@ -0,0 +1,103 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/update-manager +profile update-manager @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + signal (send) peer=apt-methods-http, + + dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} + interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} + member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=StartServiceByName, + + dbus send bus=system path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*} + interface=org.freedesktop.DBus.{Properties,Introspectable} + member={Introspect,Get}, + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.{Properties,Introspectable} + member={Get,Introspect}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/hwe-support-status rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPUx, + /{usr/,}bin/software-properties-gtk rPx, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, + + /usr/share/distro-info/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/ubuntu/applications/{,**} r, + /usr/share/update-manager/{,**} r, + /usr/share/X11/{,**} r, + + /etc/gnome/defaults.list r, + /etc/gtk-3.0/settings.ini r, + /etc/machine-id r, + /etc/update-manager/{,**} r, + + /boot/ r, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/updates/ r, + /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, + /var/lib/snapd/desktop/icons/{,*} r, + /var/lib/update-manager/{,**} rw, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + @{run}/systemd/inhibit/*.ref w, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mountinfo r, + + /dev/ptmx rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot new file mode 100644 index 00000000..8a443243 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot +profile update-motd-fsck-at-reboot @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}{s,}bin/dumpe2fs rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{m,}awk rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/stat rix, + + /var/lib/update-notifier/fsck-at-reboot rw, + + @{PROC}/uptime r, + + profile mount { + include + + /{usr/,}bin/mount mr, + + @{run}/mount/utab r, + + @{sys}/devices/virtual/block/**/ r, + @{sys}/devices/virtual/block/**/autoclear r, + @{sys}/devices/virtual/block/**/backing_file r, + + @{PROC}/@{pid}/mountinfo r, + + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 5724a959..47e1ccf4 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,28 +9,44 @@ include @{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include + include + include + include + include include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-config rPx, + /{usr/,}bin/chmod rix, /{usr/,}bin/dirname rix, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/find rix, /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, /{usr/,}lib/update-notifier/apt_check.py rix, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/sources.list r, + /usr/share/distro-info/{,**} r, + + /etc/machine-id r, - /var/lib/apt/lists/{,*} r, /var/lib/update-notifier/{,*} rw, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + /tmp/ r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 08139166..dbf9eba3 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -10,54 +10,63 @@ include profile update-notifier @{exec_path} { include include - include + include + include include + include include include include @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ionice rix, /{usr/,}bin/ischroot rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/nice rix, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/update-manager rPx, + /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx, /{usr/,}lib/update-notifier/apt_check.py rix, + /{usr/,}lib/update-notifier/list-oem-metapackages rPx, /{usr/,}lib/update-notifier/livepatch-notification rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, + /usr/share/apport/apport-gtk rPx, - /usr/share/applications/{,*.desktop} r, + /usr/share/applications/{,**} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, - /usr/share/themes/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/ r, /usr/share/ubuntu/applications/ r, + /usr/share/update-notifier/{,**} r, /usr/share/X11/{,**} r, /etc/machine-id r, /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/applications/{,**} r, + /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, - /var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{user_share_dirs}/applications/ r, + + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner /tmp/#[0-9]* rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/systemd/userdb/ r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, - @{PROC}/sys/kernel/random/boot_id r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth new file mode 100644 index 00000000..a19504b8 --- /dev/null +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/bandwidth /opt/cni/bin/bandwidth +profile cni-bandwidth @{exec_path} { + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge new file mode 100644 index 00000000..e2a3a76f --- /dev/null +++ b/apparmor.d/groups/virt/cni-bridge @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/bridge /opt/cni/bin/bridge +profile cni-bridge @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico new file mode 100644 index 00000000..68467671 --- /dev/null +++ b/apparmor.d/groups/virt/cni-calico @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /opt/cni/bin/calico +profile cni-calico @{exec_path} flags=(attach_disconnected) { + include + + capability sys_admin, + capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + signal (receive) set=kill peer=containerd, + + @{exec_path} mr, + @{exec_path}-ipam rix, + + / r, + + /etc/cni/net.d/{,**} r, + + /var/lib/calico/{,**} r, + /var/log/calico/cni/ r, + /var/log/calico/cni/cni.log rw, + + @{run}/calico/ rw, + @{run}/calico/ipam.lock rwk, + @{run}/netns/cni-@{uuid} r, + + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall new file mode 100644 index 00000000..729329e5 --- /dev/null +++ b/apparmor.d/groups/virt/cni-firewall @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/firewall /opt/cni/bin/firewall +profile cni-firewall @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback new file mode 100644 index 00000000..5e432a94 --- /dev/null +++ b/apparmor.d/groups/virt/cni-loopback @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback +profile cni-loopback @{exec_path} flags=(attach_disconnected) { + include + + capability sys_admin, + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + / r, + + @{run}/netns/ r, + @{run}/netns/cni-@{uuid} rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap new file mode 100644 index 00000000..05d9e31e --- /dev/null +++ b/apparmor.d/groups/virt/cni-portmap @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/portmap /opt/cni/bin/portmap +profile cni-portmap @{exec_path} { + include + + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, + + @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning new file mode 100644 index 00000000..dc14dfa4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-tuning @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/tuning /opt/cni/bin/tuning +profile cni-tuning @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft new file mode 100644 index 00000000..e6a24a41 --- /dev/null +++ b/apparmor.d/groups/virt/cni-xtables-nft @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi +profile cni-xtables-nft { + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + /{usr/,}{s,}bin/xtables-legacy-multi mr, + + /etc/libnl/classid r, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, + + @{PROC}/@{pids}/net/ip_tables_names r, + + /dev/pts/[0-9]* rw, +} diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 9b4b840e..f3367b5e 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -39,7 +39,6 @@ profile cockpit-bridge @{exec_path} { owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, - @{run}/systemd/userdb/ r, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 2223836f..5601ea91 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -32,8 +32,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/shells r, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/sessions/[0-9].ref rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, @@ -45,4 +44,4 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 7c8f4d7c..c700d8ef 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,34 +8,110 @@ abi , include @{exec_path} = /{usr/,}bin/containerd -profile containerd @{exec_path} { +profile containerd @{exec_path} flags=(attach_disconnected) { include + include + include + include + include + capability chown, capability dac_read_search, + capability dac_override, + capability fsetid, + capability fowner, capability net_admin, capability sys_admin, - signal (receive) set=term peer=dockerd, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + mount -> /tmp/ctd-volume[0-9]*/, + mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, + + umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount @{run}/netns/cni-@{uuid}, + + signal (receive) set=term peer={dockerd,k3s}, + signal (send) set=kill peer=cni-calico, @{exec_path} mr, - + /{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, - /{usr/,}bin/kmod rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, - /etc/cni/{,**} r, + / r, + + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, + /opt/cni/bin/bandwidth rPx, + /opt/cni/bin/calico rPx, + + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, - /var/lib/containerd/{,**} rwk, - /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/cni/{,**/} w, + /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, + /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, + /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, + /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, + /var/lib/docker/containerd/{,**} rwk, + /var/lib/kubelet/seccomp/{,**} r, + /var/lib/security-profiles-operator/{,**} r, + /var/log/pods/**/[0-9]*.log{,*} w, + + @{run}/calico/ w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + @{run}/systemd/notify w, + + owner /var/tmp/** rwkl, + owner /tmp/** rwkl, + /tmp/cri-containerd.apparmor.d[0-9]* rwl, + /tmp/ctd-volume[0-9]*/ rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/@{pid}/task/@{tid}/ns/net rw, + owner @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + /dev/bsg/ r, + /dev/bus/ r, + /dev/char/ r, + /dev/cpu/ r, + /dev/cpu/[0-9]*/ r, + /dev/dma_heap/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, + /dev/net/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, + /dev/vfio/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 new file mode 100644 index 00000000..75778688 --- /dev/null +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/containerd-shim-runc-v2 +profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { + include + include + + capability dac_override, + capability dac_read_search, + capability net_admin, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + + ptrace (read) peer=containerd, + ptrace (read) peer=unconfined, + + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, + + @{exec_path} mrix, + + /{usr/,}{s,}bin/runc rPUx, + + /tmp/runc-process[0-9]* rw, + /tmp/pty[0-9]*/ rw, + /tmp/pty[0-9]*/pty.sock rw, + + @{run}/containerd/{,containerd.sock.ttrpc} rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw, + @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw, + @{run}/containerd/s/{,[0-9a-f]*} rw, + + @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/daemon/io.containerd.*/{,**} rw, + @{run}/secrets/kubernetes.io/serviceaccount/*/token w, + + @{sys}/fs/cgroup/{,**} rw, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s new file mode 100644 index 00000000..3f041cc4 --- /dev/null +++ b/apparmor.d/groups/virt/k3s @@ -0,0 +1,172 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}bin/k3s +profile k3s @{exec_path} { + include + include + include + include + + capability chown, + capability kill, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability fowner, + capability net_admin, + capability syslog, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + + ptrace peer=@{profile_name}, + ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined}, + + # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes + # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. + ptrace (read) peer=container-*, + ptrace (read) peer=docker-*, + ptrace (read) peer=k3s-*, + ptrace (read) peer=kubernetes-*, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + mount -> /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + mount -> /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, + + umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + umount /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, + + signal (send, receive) set=term, + signal (send) set=kill peer=unconfined, + + unix (bind,listen) type=stream addr=@xtables, + + @{exec_path} mr, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/mount rPx, + /{usr/,}bin/systemd-run rix, + /{usr/,}bin/{nano,emacs,ed} rPUx, + /{usr/,}bin/vim{,.basic} rPUx, + /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, + + @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, + /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, + + @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, + + /etc/machine-id r, + /etc/rancher/{,**} rw, + + /var/lib/kubelet/{,**} rw, + /var/lib/rancher/{,**} rw, + /var/lib/rancher/k3s/data/.lock rwk, + /var/lib/rancher/k3s/server/db/{,**} rwk, + + /var/log/containers/ r, + /var/log/containers/** rw, + /var/log/rancher/{,**} r, + /var/log/kubelet/{,**} r, + /var/log/kubernetes/{,**} r, + /var/log/kubernetes/audit/** rw, + /var/log/pods/{,**} r, + /var/log/pods/{,**/} rw, + /var/log/pods/**/[0-9]*.log{,*} rw, + + owner @{HOME}/.kube/** rw, + + @{run}/containerd/containerd.sock rw, + @{run}/systemd/notify w, + @{run}/systemd/private rw, + @{run}/systemd/resolve/resolv.conf r, + @{run}/nodeagent/ rw, + @{run}/xtables.lock rwk, + + owner /var/tmp/** rwkl, + owner /tmp/** rwkl, + + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/cpuset r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/limits r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/ip_tables_names r, + owner @{PROC}/@{pids}/net/ipv6_route r, + owner @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/uid_map r, + + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/modules r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, + @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, + @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/kernel/keys/* r, + @{PROC}/sys/kernel/panic rw, + @{PROC}/sys/kernel/panic_on_oom rw, + @{PROC}/sys/kernel/panic_on_oops rw, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/threads-max r, + @{PROC}/sys/vm/overcommit_memory rw, + @{PROC}/sys/vm/panic_on_oom r, + + @{sys}/class/net/ r, + + @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, + @{sys}/devices/system/edac/mc/ r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/present{,/} r, + + @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, + @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/ r, + @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r, + @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r, + @{sys}/devices/virtual/dmi/id/* r, + + @{sys}/fs/cgroup/{,*,*/} r, + @{sys}/fs/cgroup/cgroup.subtree_control rw, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/k3s.service/* r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r, + + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{sys}/kernel/security/apparmor/profiles r, + + @{sys}/module/apparmor/parameters/enabled r, + + /dev/kmsg r, + /dev/pts/[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause new file mode 100644 index 00000000..b621e63d --- /dev/null +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /pause +profile kubernetes-pause @{exec_path} flags=(attach_disconnected) { + include + + signal (receive) set=kill, + + ptrace (readby) peer={k3s,ps}, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 38c8540b..1814b83f 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -1,16 +1,26 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Based on Libvirt Apparmor profile, it is largelly restricted from th +# As upstream profile mostly focus on confining the guests. Not libvirt itself. +# It uses a lot of profiles provided by apparmor.d +# Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in + abi , include -@{exec_path} = /{usr/,}sbin/libvirtd /{usr/,}bin/libvirtd +@{exec_path} = /{usr/,}{s,}bin/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include include + include + include + include + include capability audit_write, capability bpf, @@ -34,6 +44,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_pacct, capability sys_ptrace, + capability sys_rawio, capability sys_resource, network inet stream, @@ -44,18 +55,15 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - mount options=(rw,rslave) -> /, - mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, - umount /{var/,}run/libvirt/qemu/*.dev/, + mount options=(rw, rslave) -> /, + mount options=(rw, nosuid) -> @{run}/libvirt/qemu/*.dev/, + umount @{run}/libvirt/qemu/*.dev/, - # libvirt provides any mounts under /dev to qemu namespaces - mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, - mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, - - # for --p2p migrations - unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + # Libvirt provides any mounts under /dev to qemu namespaces + mount options=(rw, move) /dev/ -> @{run}/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/** -> @{run}/libvirt/qemu/*{,/}, + mount options=(rw, move) @{run}/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) @{run}/libvirt/qemu/*{,/} -> /dev/**, ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=@{profile_name}, @@ -63,79 +71,198 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=libvirt-*, ptrace (read,trace) peer=virt-manager, + signal (read,send) peer=libvirt-*, + signal (read,send) peer=unconfined, signal (send) peer=dnsmasq, - signal (read, send) peer=libvirt-*, - signal (send) set=(kill, term) peer=unconfined, - - # For communication/control to qemu-bridge-helper - unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + signal (send) set=(kill, term) peer=virtiofsd, signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, - # allow connect with openGraphicsFD, direction reversed in newer versions unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}), - # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), - # required if guests run unconfined seclabel type='none' but libvirtd is confined - signal (read, send) peer=unconfined, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /{usr/,}bin/* rPUx, - /{usr/,}sbin/* rPUx, - /{usr/,}{,s}bin/virtlogd rPx, - /{usr/,}lib/udev/scsi_id rPUx, - /usr/{lib,lib64}/xen-common/bin/xen-toolstack rPUx, - /usr/{lib,lib64}/xen/bin/* rUx, - @{libexec}/xen-*/bin/libxl-save-helper rPUx, - @{libexec}/xen-*/bin/pygrub rPUx, - /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, - /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rPUx, - - # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to - # read and run an ebtables script. - /var/lib/libvirt/virtd* rix, - - # force the use of virt-aa-helper - audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* rPUx, - /usr/lib/libvirt/libvirt_parthelper ix, - /usr/lib/libvirt/libvirt_iohelper ix, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles + # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process + @{exec_path} mr, + + @{libexec}/libvirt/libvirt_iohelper rix, + @{libexec}/libvirt/libvirt_parthelper rix, + + @{libexec}/xen-*/bin/libxl-save-helper rPUx, + @{libexec}/xen-*/bin/pygrub rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP + /{usr/,}lib{,64}/xen-common/bin/xen-toolstack rPUx, + /{usr/,}lib{,64}/xen/bin/* rPUx, + /{usr/,}lib/udev/scsi_id rPUx, + + /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + + /{usr/,}{s,}bin/dmidecode rPx, + /{usr/,}{s,}bin/dnsmasq rPx, + /{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP + /{usr/,}{s,}bin/virtlogd rPX, + /{usr/,}bin/lvm rUx, + /{usr/,}bin/mdevctl rPx, + /{usr/,}bin/swtpm rPx, + /{usr/,}bin/swtpm_ioctl rPx, + /{usr/,}bin/swtpm_setup rPx, + /{usr/,}bin/udevadm rPx, + + /{usr/,}{s,}bin/xtables-nft-multi rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/tc rix, + /{usr/,}bin/xmllint rix, + /{usr/,}bin/qemu-system* rUx, # TODO: Integration with virt-aa-helper + /{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper + /{usr/,}lib/libvirt/virt-aa-helper rPx, + + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + /var/lib/libvirt/virtd* rix, + + /usr/share/edk2-ovmf/{,**} r, + /usr/share/hwdata/* r, + /usr/share/libvirt/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/qemu/{,**} r, + + /etc/libvirt/{,**} rw, + /etc/mdevctl.d/{,**} r, + /etc/xml/catalog r, + + /var/cache/libvirt/{,**} rw, + /var/lib/libvirt/{,**} rwk, + /var/log/swtpm/libvirt/{,**} rw, + + # User VM images and share + @{user_share_dirs}/ r, + @{user_share_dirs}/libvirt/{,**} rwk, + @{user_vm_dirs}/{,**} rwk, + @{user_publicshare_dirs}/{,**} rw, + + @{run}/libvirt/ rw, + @{run}/libvirt/** rwk, + @{run}/libvirtd.pid wk, + @{run}/lock/LCK.._pts_[0-9]* rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/utmp rk, + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:id r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card* r, # for sound + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/c1:[0-9]* r, + @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c2[0-9]*:[0-9]* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/n[0-9]* r, + + @{sys}/bus/[a-z]*/devices/ r, + @{sys}/class/[a-z]*/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/{class,revision,subsystem_vendor,subsystem_device} r, + @{sys}/devices/pci[0-9]*/**/{config,numa_node,device,vendor} r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/*/create w, + @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, + @{sys}/devices/pci[0-9]*/**/remove w, + @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, + + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/cpu/present/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/ r, + @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r, + @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/{,**} rw, + + @{sys}/kernel/iommu_groups/ r, + @{sys}/kernel/iommu_groups/[0-9]*/devices/ r, + @{sys}/kernel/mm/hugepages/{,**} r, + @{sys}/kernel/security/apparmor/profiles r, + + @{sys}/module/kvm_intel/parameters/nested r, + + @{sys}/fs/cgroup/ r, + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/machine.slice/* r, + @{sys}/fs/cgroup/machine.slice/machine-qemu*.scope/{,**} rw, + @{sys}/fs/cgroup/net_cls/machine.slice/ rw, + @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/psched r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/sched r, + @{PROC}/@{pids}/task/@{tid}/schedstat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/devices r, + @{PROC}/mtrr w, + @{PROC}/sys/net/ipv{4,6}/** rw, + + /dev/dri/ r, + /dev/hugepages/{,**} w, + /dev/kvm r, + /dev/mapper/ r, + /dev/mapper/control rw, + /dev/net/tun rw, + /dev/shm/libvirt/{,**} rw, + /dev/vfio/[0-9]* rwk, + /dev/vhost-net rw, + + # Force the use of virt-aa-helper + audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny @{sys}/kernel/security/apparmor/features rwxl, + audit deny @{sys}/kernel/security/apparmor/matching rwxl, + audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile qemu_bridge_helper { include - capability setuid, + capability net_admin, capability setgid, capability setpcap, - capability net_admin, + capability setuid, network inet stream, # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=libvirtd), - signal (receive) set=("term") peer=libvirtd, + signal (receive) set=(term) peer=libvirtd, + + /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + + /etc/qemu/{,**} r, + + owner @{PROC}/@{pids}/status r, /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } include if exists diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 60c06ef3..5ff00d20 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/aa-notify profile aa-notify @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index ef8b465a..1ea91478 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -10,23 +10,14 @@ include profile adduser @{exec_path} { include include - include include + include - # To create a user home dir and give it proper permissions: - # mkdir("/home/user", 0755) = 0 - # chown("/home/user", 1001, 1001) = 0 - # chmod("/home/user", 0755) = 0 capability chown, - capability fowner, - - # To set the set-group-ID bit for the user home dir (SETGID_HOME=yes). - capability fsetid, - - # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different - # owner. - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, @{exec_path} r, /{usr/,}bin/perl r, @@ -35,25 +26,24 @@ profile adduser @{exec_path} { /{usr/,}bin/find rix, /{usr/,}bin/rm rix, + /{usr/,}{s,}bin/groupadd rPx, + /{usr/,}{s,}bin/groupdel rPx, /{usr/,}{s,}bin/useradd rPx, /{usr/,}{s,}bin/userdel rPx, - /{usr/,}{s,}bin/groupdel rPx, - /{usr/,}{s,}bin/groupadd rPx, /{usr/,}{s,}bin/usermod rPx, - /{usr/,}bin/passwd rPx, - /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/chfn rPx, - /{usr/,}bin/chage rPx, + /{usr/,}bin/chage rPx, + /{usr/,}bin/chfn rPx, + /{usr/,}bin/gpasswd rPx, + /{usr/,}bin/passwd rPx, /etc/{group,passwd,shadow} r, - /etc/adduser.conf r, + /etc/skel/{,.*} r, # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, @{HOME}/.* w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, include if exists } diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 28b8cc52..8f615b7d 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/agetty +@{exec_path} = /{usr/,}{s,}bin/agetty profile agetty @{exec_path} { include include @@ -15,17 +15,24 @@ profile agetty @{exec_path} { capability fsetid, capability sys_admin, capability sys_tty_config, + capability chown, @{exec_path} mr, /{usr/,}bin/login rPx, - /etc/issue r, + /{etc,run,lib,usr/lib}/issue r, + /{etc,run,lib,usr/lib}/issue.d/{,*} r, + /{,usr/}lib/os-release r, + /etc/inittab r, + /etc/os-release r, owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, - /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, + owner /dev/ttyGS[0-9]* rw, + owner /dev/ttyS[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron new file mode 100644 index 00000000..73f0d81e --- /dev/null +++ b/apparmor.d/profiles-a-f/anacron @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/anacron +profile anacron @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/run-parts rPx, + + / r, + /etc/anacrontab r, + + /var/spool/anacron/cron.* rwk, + + /tmp/file* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index d20aa7b6..a40c4249 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -11,6 +11,8 @@ profile apparmor.systemd @{exec_path} flags=(complain) { include include + capability mac_admin, + @{exec_path} mr, /{usr/,}{s,}bin/aa-status rPx, @@ -19,6 +21,8 @@ profile apparmor.systemd @{exec_path} flags=(complain) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/getconf rix, /{usr/,}bin/ls rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, /{usr/,}bin/systemd-detect-virt rPx, /{usr/,}bin/xargs rix, @@ -28,6 +32,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{sys}/fs/cgroup/systemd/ r, @{sys}/kernel/security/apparmor/{,**} r, + @{sys}/kernel/security/apparmor/.remove rw, @{sys}/module/apparmor/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index e75165f5..a8886583 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include + include capability mac_admin, @@ -24,6 +25,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/snapd/apparmor/{,**} r, + + owner /tmp/cri-containerd.apparmor.d[0-9]* r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, @{sys}/kernel/security/apparmor/{,**} r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 8d609ba3..bc053307 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -11,6 +11,7 @@ include profile appstreamcli @{exec_path} flags=(complain) { include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index a7af4d7c..60fe89ff 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -10,6 +10,7 @@ include profile arduino @{exec_path} { include include + include include include include @@ -51,9 +52,6 @@ profile arduino @{exec_path} { owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, - include - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 3eb4b452..bc7b93e8 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -18,6 +18,7 @@ include @{exec_path} = /{usr/,}bin/atril{,-*} profile atril @{exec_path} { include + include include include include @@ -52,10 +53,6 @@ profile atril @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl new file mode 100644 index 00000000..b1f1fec8 --- /dev/null +++ b/apparmor.d/profiles-a-f/auditctl @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/auditctl +profile auditctl @{exec_path} { + include + + capability audit_control, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 81074daa..a9158b76 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -30,7 +30,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) { owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, @{run}/systemd/journal/dev-log w, - @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules new file mode 100644 index 00000000..f7356dd0 --- /dev/null +++ b/apparmor.d/profiles-a-f/augenrules @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/augenrules +profile augenrules @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/auditctl rPx, + + owner /tmp/aurules.* rw, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index 5c93be01..879199f5 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -10,6 +10,8 @@ include profile aurpublish @{exec_path} { include + signal (receive) peer=git, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -19,9 +21,9 @@ profile aurpublish @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/wc rix, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.SRCINFO rw, + owner @{user_projects_dirs}/**/PKGBUILD r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index f1c2ddce..d8f9b79b 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -19,7 +19,7 @@ profile badblocks @{exec_path} { # A place for a list of already existing known bad blocks @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/bin.netstat b/apparmor.d/profiles-a-f/bin.netstat deleted file mode 100644 index a4cc8594..00000000 --- a/apparmor.d/profiles-a-f/bin.netstat +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2005 Novell/SUSE -# 2017 Christian Boltz -# 2018-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -# Evolution, amongst other things, calls this program. I didn't want to -# give evolution access to significant chunks of /proc - -abi , - -include - -@{exec_path} = /{usr/,}bin/netstat -profile netstat @{exec_path} { - include - include - include - - capability dac_read_search, - capability syslog, - capability sys_ptrace, - - ptrace (trace,read), - - @{exec_path} rmix, - - /etc/networks r, - @{PROC} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/net r, - @{PROC}/net/* r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/net/netstat r, - @{PROC}/@{pid}/net/raw r, - @{PROC}/@{pid}/net/snmp r, - @{PROC}/@{pid}/net/raw6 r, - @{PROC}/@{pid}/net/tcp r, - @{PROC}/@{pid}/net/tcp6 r, - @{PROC}/@{pid}/net/udp r, - @{PROC}/@{pid}/net/udp6 r, - @{PROC}/@{pid}/net/udplite r, - @{PROC}/@{pid}/net/udplite6 r, - @{PROC}/@{pid}/net/unix r, - # For "netstat -i" - @{PROC}/@{pid}/net/dev r, - -} diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 3d834202..1d3735e8 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -31,9 +31,9 @@ profile blkid @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index d3527585..362666f7 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,14 +10,15 @@ include @{exec_path} = /{usr/,}bin/blueman-* profile blueman @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include - include + include include + include + include include include - include network inet stream, network inet6 stream, @@ -26,17 +28,25 @@ profile blueman @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=gjs-console, @{exec_path} mrix, - /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/blueman-tray rPx, - /{usr/,}bin/ r, - /{usr/,}bin/{b,d}ash rix, + /{usr/,}bin/{b,d}ash rix, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/blueman-tray rPx, + /{usr/,}bin/xdg-open rCx -> open, /usr/share/blueman/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /var/lib/blueman/network.state r, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/ r, + owner @{HOME}/bluetooth*/* rw, + owner @{user_cache_dirs}/blueman-tray-[0-9]* rw, owner @{user_cache_dirs}/blueman-services-[0-9]* rw, owner @{user_cache_dirs}/blueman-adapters-[0-9]* rw, @@ -48,40 +58,16 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{HOME}/ r, - owner @{HOME}/bluetooth*/ r, - owner @{HOME}/bluetooth*/* rw, - - # For sending a note (disabled since the feature doesn't seem to work) - #owner /tmp/* rw, - #owner /var/tmp/* rw, - #owner /tmp/note*.vnt rw, - - /var/lib/blueman/network.state r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/cmdline r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /dev/tty rw, - - /dev/rfkill r, - - /dev/shm/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - - # file_inherit /dev/dri/card[0-9]* rw, + /dev/rfkill r, + /dev/shm/ r, + /dev/tty rw, profile open { include @@ -90,30 +76,29 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/file rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/mimetype rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/uname rix, /{usr/,}bin/xprop rix, - /{usr/,}bin/file rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/mimetype rix, - - /usr/share/perl5/** r, - /etc/magic r, - - owner @{HOME}/ r, - owner @{HOME}/bluetooth*/* r, - - owner @{run}/user/@{uid}/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/spacefm rPx, - # file_inherit + /usr/share/perl5/** r, + + /etc/magic r, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/* r, owner @{HOME}/.xsession-errors w, + owner @{run}/user/@{uid}/ r, + } include if exists diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 3bcfb527..b3dd451d 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -23,7 +23,6 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, /var/lib/blueman/network.state rw, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index eaa7512b..3f00bf98 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -12,7 +12,6 @@ profile blueman-rfcomm-watcher @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 740731c5..26316237 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2021 Mikhail Morfikov +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,20 +28,19 @@ profile bluetoothd @{exec_path} { /etc/bluetooth/{,*.conf} r, + /var/lib/bluetooth/{,**} rw, + + @{run}/sdp rw, + @{run}/udev/data/+hid:* r, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, + @{sys}/devices/platform/**/rfkill/**/name r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + /dev/uhid rw, /dev/uinput rw, /dev/rfkill rw, /dev/hidraw[0-9]* rw, - @{run}/sdp rw, - - @{run}/udev/data/+hid:* r, - - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/platform/**/rfkill/**/name r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, - - /var/lib/bluetooth/{,**} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 2eed5450..e46ecbe3 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{libexec}/boltd -profile boltd @{exec_path} { +profile boltd @{exec_path} flags=(attach_disconnected) { include + include include capability net_admin, @@ -21,6 +22,7 @@ profile boltd @{exec_path} { owner @{run}/boltd/{,**} rw, + @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, @@ -32,10 +34,10 @@ profile boltd @{exec_path} { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{authorized,generation} r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{uevent,unique_id} r, + @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5e40c1ec..1bd177a7 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -18,8 +18,11 @@ profile borg @{exec_path} { network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} r, + + /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/uname rix, @@ -32,10 +35,10 @@ profile borg @{exec_path} { /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/fusermount{,3} rCx -> fusermount, + mount fstype=fuse -> @{MOUNTS}/, mount fstype=fuse -> @{MOUNTS}/*/, - mount fstype=fuse -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, /dev/fuse rw, @@ -66,15 +69,11 @@ profile borg @{exec_path} { # Dirs that can be backed up / r, - /boot/{,**} r, - /efi/{,**} r, /etc/{,**} r, /home/{,**} r, @{MOUNTS}/{,**} r, - /opt/{,**} r, /root/{,**} r, /srv/{,**} r, - /usr/{,**} r, /var/{,**} r, # The backup dirs @@ -115,8 +114,8 @@ profile borg @{exec_path} { /etc/fuse.conf r, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 1bf18858..bbab7719 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -34,7 +34,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { deny network inet, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw, - deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, + deny owner @{user_download_dirs}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny /dev/dri/* rw, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index b691e0d2..bff4395c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -33,18 +33,18 @@ profile btrfs @{exec_path} { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, # Saved metadata + @{MOUNTS}/ r, + @{MOUNTS}/ext2_saved/ rw, + @{MOUNTS}/ext2_saved/image rw, @{MOUNTS}/*/ r, @{MOUNTS}/*/ext2_saved/ rw, @{MOUNTS}/*/ext2_saved/image rw, - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/ext2_saved/ rw, - @{MOUNTS}/*/*/ext2_saved/image rw, # To be able to manage btrfs volumes owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, /dev/btrfs-control rw, diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 6135885c..5eb562f7 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 50061b82..3aecf3be 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} { # Image files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index 344f4d02..81d28128 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 7bef336b..3696fd26 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/cawbird profile cawbird @{exec_path} { include + include include include include @@ -42,11 +43,6 @@ profile cawbird @{exec_path} { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - # This is needed as cawbird stores its settings in the dconf database. - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 45aeb0b7..deb4be1a 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -25,13 +25,13 @@ profile cfdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 231de791..a94b85bd 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -17,13 +17,13 @@ profile cgdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer new file mode 100644 index 00000000..8ef3e295 --- /dev/null +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/cracklib-packer +profile cracklib-packer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index fe89bcb7..774208fb 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/czkawka_gui profile czkawka-gui @{exec_path} { include + include include include include @@ -38,11 +39,6 @@ profile czkawka-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index ce8e9646..e63a799a 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -16,6 +16,7 @@ include profile deltachat-desktop @{exec_path} { include include + include include include include @@ -46,10 +47,6 @@ profile deltachat-desktop @{exec_path} { owner @{HOME}/.config/DeltaChat/ rw, owner @{HOME}/.config/DeltaChat/** rwk, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /tmp/[0-9a-f]*/ rw, diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index bf0b42b6..e4cf9cfd 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/dig profile dig @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 692ba3b2..b3dcf12c 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dino-im profile dino-im @{exec_path} { include + include include include include @@ -29,10 +30,6 @@ profile dino-im @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 35f922c7..8e7ee6bc 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -19,9 +19,9 @@ profile dumpe2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 14c1e26f..0932351b 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,25 +13,31 @@ profile e2fsck @{exec_path} { include include + capability dac_read_search, + capability sys_rawio, + @{exec_path} mr, # To check for badblocks /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/badblocks rPx, - owner @{run}/blkid/blkid.tab{,-*} rw, + /usr/share/file/misc/magic.mgc r, + + # A place for file images + owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, + owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + + @{run}/blkid/ rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + + @{sys}/devices/**/power_supply/AC/online r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - @{sys}/devices/**/power_supply/AC/online r, - - # A place for file images - owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, - owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, - include if exists } diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b61bf1fd..7cd9ebe2 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -19,9 +19,9 @@ profile e2image @{exec_path} { # A place for the metadata image file owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 33acd41f..6d73f41a 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/engrampa profile engrampa @{exec_path} { include + include include include include @@ -43,10 +44,6 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/engrampa/ rw, / r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 1c98015f..631f3a22 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -59,7 +59,9 @@ profile etckeeper @{exec_path} { @{run}/resolvconf/resolv.conf r, - /tmp/etckeeper-git* rw, + owner /tmp/etckeeper-git* rw, + + owner @{PROC}/@{pid}/fd/ r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 01509248..0190d419 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -6,10 +6,10 @@ abi , include -@{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced +@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced profile evince @{exec_path} { include - include + include include include include @@ -33,11 +33,9 @@ profile evince @{exec_path} { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, - owner @{run}/user/@{uid}/dconf/user rw, - + owner /tmp/*.pdf r, owner /tmp/evince-*/{,**} rw, - /tmp/gtkprint* rw, - /tmp/*.pdf r, + owner /tmp/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 044ba498..9ff0d7ad 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -13,14 +13,14 @@ profile f3read @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to read h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w r, + owner @{MOUNTS}/[0-9]*.h2w r, owner @{MOUNTS}/*/[0-9]*.h2w r, - owner @{MOUNTS}/*/*/[0-9]*.h2w r, - owner /mnt/[0-9]*.h2w r, include if exists } diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index d053e929..14145347 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -17,14 +17,14 @@ profile f3write @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to write h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w w, + owner @{MOUNTS}/[0-9]*.h2w w, owner @{MOUNTS}/*/[0-9]*.h2w w, - owner @{MOUNTS}/*/*/[0-9]*.h2w w, - owner /mnt/[0-9]*.h2w w, include if exists } diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 5f023da4..5c0f9769 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -27,13 +27,13 @@ profile fdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller new file mode 100644 index 00000000..e8d98bff --- /dev/null +++ b/apparmor.d/profiles-a-f/file-roller @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/file-roller +profile file-roller @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/unzip rix, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /etc/gtk-3.0/settings.ini r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 3c8f6a0e..11a35cab 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -49,9 +49,13 @@ profile flatpak-system-helper @{exec_path} { /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent rix, + owner /tmp/ostree-gpg-*/ r, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{PROC}/@{uid}/fd/ r, + } include if exists diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index a215d61a..8bf1bb58 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -9,12 +9,13 @@ include @{exec_path} = /{usr/,}bin/font-manager profile font-manager @{exec_path} { include - include - include + include include + include include - include include + include + include include network inet dgram, @@ -28,6 +29,8 @@ profile font-manager @{exec_path} { /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, owner @{user_cache_dirs}/font-manager/* rwk, @@ -46,22 +49,16 @@ profile font-manager @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/{,**} r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/smaps r, - @{PROC}zoneinfo r, - - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/{,**} r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + @{PROC}/zoneinfo r, # Silencer owner /var/cache/fontconfig/ w, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd new file mode 100644 index 00000000..c2c9a6ff --- /dev/null +++ b/apparmor.d/profiles-a-f/fprintd @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/fprintd +profile fprintd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability sys_nice, + + network netlink raw, + + dbus receive bus=system path=/net/reactivated/Fprint/Manager + interface={org.freedesktop.DBus.Properties,net.reactivated.Fprint.Manager}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit + peer=(name=org.freedesktop.login[0-9]), + + dbus bind bus=system + name=net.reactivated.Fprint, + + @{exec_path} mr, + + /etc/fprintd.conf r, + + /var/lib/fprint/{,**} rw, + + @{run}/systemd/journal/socket rw, + @{run}/systemd/inhibit/*.ref w, + + @{sys}/class/hidraw/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 29071d5c..61a9c60b 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -10,18 +10,18 @@ include profile freefall @{exec_path} { include - capability sys_nice, capability ipc_lock, capability mknod, + capability sys_nice, @{exec_path} mr, + @{sys}/devices/**/unload_heads r, + @{sys}/class/leds/**/brightness r, + /dev/freefall rw, /dev/sd[a-z]* rk, /dev/sd[a-z]*[0-9]* rk, - @{sys}/devices/**/unload_heads r, - @{sys}/class/leds/**/brightness r, - include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 46a762f5..9e018e0a 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -23,13 +23,14 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}bin/locale rix, # debconf apps + /{usr/,}{s,}bin/aspell-autobuildhash rPx, + /{usr/,}{s,}bin/pam-auth-update rPx, /{usr/,}bin/adequate rPx, /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /{usr/,}bin/linux-check-removal rPx, /{usr/,}bin/ucf rPx, - /{usr/,}sbin/pam-auth-update rPx, - /{usr/,}sbin/aspell-autobuildhash rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /usr/share/debian-security-support/check-support-status.hook rPx, # Run the package maintainer's scripts @@ -55,13 +56,16 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}lib/dkms/dkms-* rPUx, /{usr/,}lib/dkms/dkms_* rPUx, - /etc/debconf.conf r, /usr/share/debconf/{,**} r, + + /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, + + owner /tmp/file* w, owner /var/cache/debconf/* rwk, - /etc/inputrc r, - - /etc/shadow r, + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when debconf uses GUI frontends. include @@ -74,11 +78,6 @@ profile frontend @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, - owner /tmp/file* w, - - profile scripts flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index fc56b1c7..45a4c76a 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -24,7 +24,7 @@ profile fsck @{exec_path} { /etc/fstab r, # When a mount dir is passed to fsck as an argument. - @{MOUNTS}/*/ r, + @{MOUNTS}/ r, /boot/ r, /home/ r, @@ -33,7 +33,7 @@ profile fsck @{exec_path} { owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/mount/utab r, - @{run}/systemd/fsck.progress w, + @{run}/systemd/fsck.progress rw, @{PROC}/@{pids}/mountinfo r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index 993475b6..d17e06e2 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 6b658ee1..3dccb5c7 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -27,9 +27,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{HOME}/.mtab.fuseiso rwk, owner @{HOME}/.mtab.fuseiso.new rw, @@ -60,9 +60,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 471ab9f3..8f217fbe 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -86,11 +86,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, /dev/drm_dp_aux[0-9]* rw, + /dev/gpiochip[0-9]* r, /dev/hidraw[0-9]* rw, /dev/mei[0-9]* rw, /dev/mem r, + /dev/mtd[0-9]* rw, /dev/sd[a-z]* r, /dev/tpm[0-9]* rw, + /dev/tpmrm[0-9]* rw, /dev/wmi/* r, profile gpg flags=(complain) { diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 19e51f9b..57144bb0 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,11 +8,13 @@ abi , include @{exec_path} = /{usr/,}bin/fwupdmgr -profile fwupdmgr @{exec_path} flags=(complain) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include + include include - include include + include signal (send), @@ -27,26 +29,21 @@ profile fwupdmgr @{exec_path} flags=(complain) { /{usr/,}bin/dbus-launch rCx -> dbus, /{usr/,}bin/pkttyagent rPx, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/fwupd/ rw, - owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/fwupd/ rw, + owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, owner @{PROC}/@{pid}/fd/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /dev/tty rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - profile dbus { include include diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 8fe3789b..24f97a78 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gajim profile gajim @{exec_path} { include + include include include include @@ -92,10 +93,6 @@ profile gajim @{exec_path} { /tmp/ r, owner /tmp/* rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Silencer deny /usr/share/gajim/** w, deny /usr/lib/python3/dist-packages/** w, diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 66354c43..2b501e69 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -24,13 +24,13 @@ profile gdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 83f90368..ac9ffba1 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -27,6 +27,8 @@ profile git @{exec_path} { network inet6 stream, network netlink raw, + signal (send) peer=aurpublish, + @{exec_path} mrix, # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you @@ -78,8 +80,8 @@ profile git @{exec_path} { /etc/mailname r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ rw, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, @@ -165,8 +167,8 @@ profile git @{exec_path} { /etc/vimrc r, /etc/vim/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/[0-9]* rw, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.git/[0-9]* rw, owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/fzf.vim r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index beb5c439..dad61dd6 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -12,8 +12,8 @@ profile gitstatusd @{exec_path} { @{exec_path} mr, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 6db45327..7cd08c62 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gpartedbin profile gpartedbin @{exec_path} { include + include include include include @@ -130,10 +131,6 @@ profile gpartedbin @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, # For fsck of the btrfs filesystem @@ -156,8 +153,8 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, + mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @@ -179,8 +176,8 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, umount /boot/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index e4da11c1..b7c74d74 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/groups profile groups @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index b3ba2f2a..7c0748a3 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -30,9 +30,9 @@ profile hdparm @{exec_path} flags=(complain) { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index a229b405..6f61f072 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/host profile host @{exec_path} { include + include include include @@ -16,7 +17,7 @@ profile host @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} r, + @{exec_path} mr, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 79e1e553..71be4528 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -95,8 +95,10 @@ profile htop @{exec_path} { @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, @{sys}/devices/system/cpu/cpu[0-9]*/online r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 2be0f5ac..d771789d 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,21 +10,30 @@ include @{exec_path} = /{usr/,}bin/hugo profile hugo @{exec_path} { include + include + include network inet stream, network inet6 stream, @{exec_path} mr, + /{usr/,}bin/git rix, + /{usr/,}lib/go/bin/go rix, + /{usr/,}lib/git-core/git-remote-http rix, + + /usr/share/git-core/{,**} r, /usr/share/mime/{,**} r, + /usr/share/terminfo/x/xterm-256color r, /etc/mime.types r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/{,**} rw, + owner @{user_projects_dirs}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/**/go.{mod,sum} rwk, - owner /tmp/hugo_cache/ rw, - owner /tmp/hugo_cache/**/ rw, + owner /tmp/hugo_cache/{,**} rwkl, + owner /tmp/go-codehost-[0-9]* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 5bc7cdfc..e913cee3 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -15,6 +15,7 @@ include @{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py profile hypnotix @{exec_path} { include + include include include include @@ -62,11 +63,6 @@ profile hypnotix @{exec_path} { owner @{MOUNTS}/**/ r, owner /{home,media}/**.@{hypnotix_ext} r, - # To be able to store settings - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/hypnotix/{,**} r, owner @{HOME}/.hypnotix/ rw, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 73e36a65..7df34f07 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -12,8 +12,7 @@ profile ifup @{exec_path} { include capability net_admin, - # Needed? - audit deny capability sys_module, + audit capability sys_module, network netlink raw, @@ -33,7 +32,7 @@ profile ifup @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/sysctl rCx -> sysctl, + /{usr/,}{s,}bin/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -115,7 +114,7 @@ profile ifup @{exec_path} { capability sys_admin, # capability sys_resource, - /{usr/,}sbin/sysctl mr, + /{usr/,}{s,}bin/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog new file mode 100644 index 00000000..6c508b3c --- /dev/null +++ b/apparmor.d/profiles-g-l/install-catalog @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/install-catalog +profile install-catalog @{exec_path} { + include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/{,ba}sh rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + + /etc/sgml/catalog{,.new} rw, + /etc/sgml/sgml-docbook.cat{,.new} rw, + /etc/sgml/sgml-ent.cat{,.new} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 8c5a471c..ed7a3340 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,18 +7,18 @@ abi , include -@{exec_path} = /{usr/,}bin/ip +@{exec_path} = /{usr/,}{s,}bin/ip profile ip @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, + capability sys_admin, capability sys_module, network netlink raw, - @{exec_path} mrix, - mount options=(rw, rshared) -> /{var/,}run/netns/, mount options=(rw, rslave) -> /, mount options=(rw, bind) / -> /{var/,}run/netns/*, @@ -28,12 +28,15 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount @{run}/netns/*, umount /sys/, - /etc/iproute2/{,**} r, + @{exec_path} mrix, / r, + + /etc/iproute2/{,**} r, + /etc/netns/*/ r, + owner @{run}/netns/ rw, @{run}/netns/* rw, - /etc/netns/*/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/net/dev_mcast r, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index f94e21e4..1948827e 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/jami-gnome profile jami-gnome @{exec_path} { include + include include include include @@ -40,10 +41,6 @@ profile jami-gnome @{exec_path} { /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ring/{,**} r, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index 79b1478d..9bf9a3b2 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -6,9 +6,8 @@ abi , include -@{JD_INSTALLDIR} = /home/*/jd2 -@{JD_SH_PATH} = /home/*/@{XDG_DOWNLOAD_DIR} -@{JD_SH_PATH} += /home/*/@{XDG_DESKTOP_DIR} +@{JD_INSTALLDIR} = @{HOME}/jd2 +@{JD_SH_PATH} = @{user_download_dirs} @{HOME}/@{XDG_DESKTOP_DIR} @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh profile jdownloader-install @{exec_path} { diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index c80ec1eb..1eb551d2 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -1,9 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{JEKYLL_DIR}=@{HOME}/morfikov.github.io - abi , include @@ -17,19 +16,18 @@ profile jekyll @{exec_path} { @{exec_path} r, /{usr/,}bin/ruby[0-9].[0-9]* rix, - /usr/share/rubygems-integration/*/specifications/ r, - /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, - /{usr/,}lib/ruby/gems/*/specifications/ r, /{usr/,}lib/ruby/gems/*/specifications/** r, /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + /usr/share/rubygems-integration/*/specifications/ r, + /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, + /usr/share/ruby-addressable/unicode.data r, - # Jekyll dir - owner @{JEKYLL_DIR}/{,**} r, - owner @{JEKYLL_DIR}/_site/{,**} rw, - owner @{JEKYLL_DIR}/.sass-cache/** rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/_site/{,**} rw, + owner @{user_projects_dirs}/**/.sass-cache/** rw, @{PROC}/version r, diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index ae24a13c..008f9569 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -29,7 +29,7 @@ profile keepassxc-proxy @{exec_path} { # deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, - deny owner @{MOUNTS}/*/.mozilla/** rw, + deny owner @{MOUNTS}/.mozilla/** rw, deny owner /tmp/firefox*/.parentlock rw, deny owner /tmp/tmp-*.xpi rw, deny owner /tmp/tmpaddon r, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 4efe443e..ddf480c8 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/kerneloops profile kerneloops @{exec_path} { include + include include capability syslog, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ae8e492f..71f30ab2 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -12,22 +12,12 @@ include profile kmod @{exec_path} flags=(attach_disconnected) { include include + include - # To load/unload kernel modules - # modprobe: ERROR: could not insert '*': Operation not permitted - # - # modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove - # '*': Operation not permitted - capability sys_module, - - # For error logs to go through the syslog mechanism (as LOG_DAEMON with level LOG_NOTICE) rather - # than to standard error. - capability syslog, - - # Needed for static-nodes capability dac_override, - capability mknod, + capability sys_module, + capability syslog, unix (receive) type=stream, @@ -37,36 +27,36 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/sysctl rPx, /{usr/,}lib/modprobe.d/{,*.conf} r, - /etc/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /{usr/,}lib/modules/*/modules.* rw, + /etc/depmod.d/{,**} r, + /etc/modprobe.d/{,*.conf} r, + /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, + /var/lib/dpkg/triggers/* r, /var/tmp/dracut.*/{,**} rw, + owner /boot/System.map-* r, + owner /tmp/mkinitcpio.*/{,**} rw, + + # For local kernel build + owner /tmp/depmod.*/lib/modules/*/ r, + owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{user_build_dirs}/**/System.map r, + owner @{user_build_dirs}/**/lib/modules/*/ r, + owner @{user_build_dirs}/**/lib/modules/*/modules.* rw, + owner @{user_build_dirs}/**/lib/modules/*/kernel/{,**/} r, + owner @{user_build_dirs}/**/lib/modules/*/kernel/**/*.ko r, + + owner @{run}/tmpfiles.d/ w, + owner @{run}/tmpfiles.d/static-nodes.conf w, @{sys}/module/{,**} r, @{PROC}/cmdline r, @{PROC}/modules r, - # Initframs - owner /tmp/mkinitcpio.*/{,**} rw, - - owner @{run}/tmpfiles.d/ w, - owner @{run}/tmpfiles.d/static-nodes.conf w, - - # For local kernel build - owner /tmp/depmod.*/lib/modules/*/ r, - owner /tmp/depmod.*/lib/modules/*/modules.* rw, - owner @{user_build_dirs}/**/System.map r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/ r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/modules.* rw, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r, - deny /apparmor/.null rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 7790d273..0cae0773 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -58,7 +58,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat[0-9]* r, @{run}/user/@{uid}/wayland-[0-9].lock k, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate new file mode 100644 index 00000000..3c878be3 --- /dev/null +++ b/apparmor.d/profiles-g-l/language-validate @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/language-tools/language-validate +profile language-validate @{exec_path} { + include + + capability setgid, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, + /usr/share/language-tools/language-options rix, + + /usr/share/locale-langpack/{,*} r, + /usr/share/language-tools/{,*} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 04926ce2..3ddb573b 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/last{,b} profile last @{exec_path} { include + include include include @@ -21,5 +22,8 @@ profile last @{exec_path} { @{PROC}/@{pids}/loginuid r, + /var/log/wtmp r, + /var/log/btmp{,.[0-9]*} r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index bf32a379..3bfc4a63 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lastlog profile lastlog @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index ee14411a..b5f78f2c 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/light-locker profile light-locker @{exec_path} { include + include include include include @@ -25,11 +26,7 @@ profile light-locker @{exec_path} { owner @{PROC}/@{pid}/cgroup r, # when locking the screen and switching/closing sessions - @{run}/systemd/sessions/[0-9]* r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + @{run}/systemd/sessions/* r, @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 36bae0f8..ffcf468d 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -18,20 +18,44 @@ profile login @{exec_path} { capability fsetid, capability setgid, capability setuid, + capability sys_resource, + capability audit_write, + capability dac_read_search, +# capability net_admin, + +# network netlink raw, @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rUx, /etc/environment r, + /etc/motd r, + /etc/legal r, + /etc/default/locale r, + /etc/security/pam_env.conf r, + /etc/security/group.conf r, + /etc/security/limits.conf r, + /etc/security/limits.d/{,*} r, /var/log/btmp{,.[0-9]*} r, @{run}/faillock/root rwk, - @{run}/systemd/userdb/ r, + @{run}/dbus/system_bus_socket rw, + @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/sessions/*.ref rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/1/limits r, + + owner @{user_cache_dirs}/motd.legal-displayed rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"), include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate old mode 100644 new mode 100755 index 8a5aef04..db9073cd --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/logrotate -profile logrotate @{exec_path} flags=(attach_disconnected, complain) { +profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -23,6 +23,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { audit deny capability net_admin, signal (send) set=(hup), + signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,13 +31,20 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/shred rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, + + /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, + /{usr/,}bin/my_print_defaults rPUx, + /{usr/,}bin/mysqladmin rPUx, + /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -51,6 +59,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{run}/systemd/private rw, + /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, @@ -61,15 +71,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, - /var/log/** rw, - - # Needed to remove the following error: - # logrotate[]: error: could not change directory to '.' / r, + /var/log{,.hdd}/ r, + /var/log{,.hdd}/** rw, + + @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - profile systemctl flags=(attach_disconnected, complain) { + profile systemctl flags=(attach_disconnected) { include include @@ -86,6 +96,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /dev/kmsg rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index c71fe8e2..3144bb97 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -13,6 +13,9 @@ profile lsblk @{exec_path} { include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} mr, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 48f0532d..16dee098 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lscpu profile lscpu @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index f270780b..e3308c76 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -19,6 +19,7 @@ profile lspci @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, @{sys}/devices/pci[0-9]*/** r, /usr/share/hwdata/pci.ids r, diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 1b14475a..e32ab8c7 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -97,10 +97,9 @@ profile man_filter { # do is feed data to the invoking man process. /usr/** r, owner @{HOME}/@{XDG_DATA_HOME}/** r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, + owner @{user_projects_dirs}/** r, owner @{user_cache_dirs}/** r, owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, /var/cache/man/** w, } diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl new file mode 100644 index 00000000..e0e87a50 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdevctl @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/mdevctl +profile mdevctl @{exec_path} { + include + + @{exec_path} mr, + + /etc/mdevctl.d/{,**} r, + + @{PROC}/@{pids}/maps r, + + @{sys}/bus/mdev/devices/ r, + @{sys}/class/mdev_bus/ r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 21f54328..3337a719 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/mediainfo-gui profile mediainfo-gui @{exec_path} { include + include include include include @@ -56,11 +57,6 @@ profile mediainfo-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 96e479d6..1513de37 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -6,8 +6,6 @@ abi , include -@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage - @{exec_path} = /{usr/,}bin/megasync profile megasync @{exec_path} { include @@ -55,11 +53,8 @@ profile megasync @{exec_path} { owner @{user_config_dirs}/QtProject.conf r, # Sync folder - #/ r, - #@{MOUNTS}/ r, - #@{MOUNTS}/*/ r, - owner @{SYNC_FOLDER}/ r, - owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**, + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, # Proc filesystem deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 2f19be1e..5701e0c9 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -41,7 +41,7 @@ profile minitube @{exec_path} { owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, # Snapshot - owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw, + owner @{user_pictures_dirs}/*.png rw, owner @{HOME}/vlcsnap-.png rw, /usr/share/minitube/{,**} r, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 1e528126..d50ad958 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/telepathy/mission-control-5 profile mission-control @{exec_path} { include - include + include network netlink raw, @@ -21,7 +21,6 @@ profile mission-control @{exec_path} { owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, - @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index e691740e..c25377a3 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -30,9 +30,9 @@ profile mke2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 9613134a..191bb035 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 8e946c9e..441dc271 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fc03477e..afbc6b00 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/ r, - /{usr/,}bin/ r, + /{usr/,}{s,}bin/ r, /{usr/,}lib/ r, /{usr/,}lib64/ r, - /{usr/,}bin/getopt rix, - /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/env rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/tr rix, - - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/basename rix, /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/env rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/id rix, + /{usr/,}bin/ln rix, /{usr/,}bin/lzma rix, /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/xz rix, /{usr/,}bin/zstd rix, @@ -87,20 +87,23 @@ profile mkinitramfs @{exec_path} { /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs-* rw, - @{PROC}/modules r, - + owner @{PROC}/@{uid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/modules r, profile ldd { include include + include /{usr/,}bin/ldd mr, - /{usr/,}bin/kmod mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kmod mr, + /{usr/,}lib/initramfs-tools/bin/* mr, - /{usr/,}lib/@{multiarch}/ld-*.so rix, - /{usr/,}lib{,x}32/ld-*.so rix, + /{usr/,}lib/@{multiarch}/ld-*.so* rix, + /{usr/,}lib{,x}32/ld-*.so rix, } @@ -110,7 +113,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - /{usr/,}sbin/ldconfig mr, + /{usr/,}{s,}bin/ldconfig mr, + + /{usr/,}{s,}bin/ldconfig.real rix, + /{usr/,}bin/{,ba,da}sh rix, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, @@ -148,11 +154,14 @@ profile mkinitramfs @{exec_path} { profile kmod { include include + include /{usr/,}bin/kmod mr, @{PROC}/cmdline r, + /etc/depmod.d/ r, + /etc/depmod.d/*.conf r, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index fe13d31a..7432f00a 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -1,12 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/mount +@{exec_path} = /{usr/,}{s,}bin/mount profile mount @{exec_path} flags=(complain) { include include @@ -25,14 +27,20 @@ profile mount @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + ptrace (read) peer=k3s, + signal (receive) set=(term, kill), @{exec_path} mr, - /{usr/,}bin/ntfs-3g rPx, /{usr/,}{s,}bin/lowntfs-3g rPx, - /{usr/,}bin/sshfs rPx, /{usr/,}{s,}bin/mount.* rPx, + /{usr/,}bin/ntfs-3g rPx, + /{usr/,}bin/sshfs rPx, + + /etc/fstab r, + + /var/lib/snapd/snaps/*.snap r, # Mount points @{HOME}/ r, @@ -45,23 +53,22 @@ profile mount @{exec_path} flags=(complain) { # Mount iso/img files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, - - # The special /dev/loop-control file can be used to create and destroy loop devices or to find - # the first available loop device. - /dev/loop-control rw, - - /etc/fstab r, - - /tmp/sanity-squashfs-[0-9]* rw, - - owner @{PROC}/@{pid}/mountinfo r, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, + /tmp/sanity-squashfs-[0-9]* rw, + /tmp/syscheck-squashfs-[0-9]* rw, + + owner @{PROC}/@{pid}/mountinfo r, + + # The special /dev/loop-control file can be used to create and destroy loop + # devices or to find the first available loop device. + /dev/loop-control rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 80c23b8d..1ee7662b 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.cifs +@{exec_path} = /{usr/,}{s,}bin/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include @@ -30,19 +31,18 @@ profile mount-cifs @{exec_path} flags=(complain) { owner @{HOME}/.smbcredentials r, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, mount fstype=cifs -> @{MOUNTS}/*/, - mount fstype=cifs -> @{MOUNTS}/*/*/, - mount fstype=cifs -> /mnt/, - mount fstype=cifs -> /mnt/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 69c86061..1e9a6fbf 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.nfs +@{exec_path} = /{usr/,}{s,}bin/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -26,11 +27,11 @@ profile mount-nfs @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/start-statd rix, - /{usr/,}bin/flock rix, + /{usr/,}{s,}bin/start-statd rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/flock rix, - /usr/bin/systemctl rPx -> child-systemctl, + /usr/bin/systemctl rPx -> child-systemctl, /etc/fstab r, /etc/netconfig r, @@ -45,21 +46,20 @@ profile mount-nfs @{exec_path} flags=(complain) { owner @{run}/rpc.statd.lock wk, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=nfs -> @{MOUNTDIRS}/, + mount fstype=nfs -> @{MOUNTS}/, mount fstype=nfs -> @{MOUNTS}/*/, - mount fstype=nfs -> @{MOUNTS}/*/*/, - mount fstype=nfs -> /mnt/, - mount fstype=nfs -> /mnt/*/, mount fstype=nfs -> /, mount fstype=nfs -> /*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, umount /, umount /*/, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs new file mode 100644 index 00000000..cfd13ccf --- /dev/null +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/mount.zfs +profile mount-zfs @{exec_path} flags=(complain) { + include + include + + capability sys_admin, # To mount anything. + + @{exec_path} mr, + + /dev/pts/[0-9]* rw, + + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + + mount fstype=zfs -> @{MOUNTDIRS}/, + mount fstype=zfs -> @{MOUNTS}/, + mount fstype=zfs -> @{MOUNTS}/*/, + mount fstype=zfs -> /, + mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount /, + umount /*/, + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, + + @{PROC}/@{pids}/mounts r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index f68fa31f..5f7b20c9 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -25,9 +25,9 @@ profile mtools @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c7de4c65..02f53ffa 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -7,28 +7,55 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/needrestart -profile needrestart @{exec_path} { +profile needrestart @{exec_path} flags=(attach_disconnected) { include include + include include + include include + capability checkpoint_restore, + capability dac_read_search, capability sys_ptrace, ptrace (read), - @{exec_path} mr, + @{exec_path} mrix, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/who rix, - /usr/share/debconf/frontend rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/fail2ban-server rPx, + /{usr/,}bin/locale rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/systemctl rPx, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}bin/who rix, + /{usr/,}lib/needrestart/iucode-scan-versions rPx, + /usr/share/debconf/frontend rix, + /{usr/,}bin/gettext.sh r, + /usr/share/needrestart/{,**} r, + /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + + /etc/debconf.conf r, /etc/needrestart/{,**} r, + /etc/needrestart/*.d/* rix, + /etc/shadow r, - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/stat r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, /dev/ r, /dev/**/ r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat new file mode 100644 index 00000000..a65591fb --- /dev/null +++ b/apparmor.d/profiles-m-r/netstat @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2017 Christian Boltz +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/netstat +profile netstat @{exec_path} { + include + include + include + + capability dac_read_search, + capability sys_ptrace, + capability syslog, + + ptrace (trace,read), + + @{exec_path} rmix, + + /etc/networks r, + + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/netstat r, + @{PROC}/@{pids}/net/raw r, + @{PROC}/@{pids}/net/raw6 r, + @{PROC}/@{pids}/net/snmp r, + @{PROC}/@{pids}/net/tcp r, + @{PROC}/@{pids}/net/tcp6 r, + @{PROC}/@{pids}/net/udp r, + @{PROC}/@{pids}/net/udp6 r, + @{PROC}/@{pids}/net/udplite r, + @{PROC}/@{pids}/net/udplite6 r, + @{PROC}/@{pids}/net/unix r, + @{PROC}/net r, + @{PROC}/net/* r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/attr/current r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 2da77d9b..d769bfcc 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newgidmap @{exec_path} { include include + capability dac_override, capability setgid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index 88af9bb6..3ec9d09e 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newuidmap @{exec_path} { include include + capability dac_override, capability setuid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin new file mode 100644 index 00000000..252f9054 --- /dev/null +++ b/apparmor.d/profiles-m-r/nologin @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/nologin +profile nologin @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 71aa765f..af9b1fc3 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/nslookup profile nslookup @{exec_path} { include + include include include @@ -16,7 +17,7 @@ profile nslookup @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} r, + @{exec_path} mr, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index faf590df..94014b46 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} { @{exec_path} mr, - @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pid}/mounts r, + /{usr/,}bin/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + + # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + + # Allow to mount encrypted partition + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, - # Mount points - @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - - # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, - - # Allow to mount encrypted partition - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/, - - umount @{MOUNTS}/*/, - umount /mnt/*/, - - # kmod is used to load the fuse kernel module - /{usr/,}bin/kmod rPx, - include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index cf4c5edd..713cbbe0 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} { # A place for backups @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index ac6197c3..a10e17f2 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -17,10 +17,10 @@ profile ntfscp @{exec_path} { # For writing files owned by users other than root, since ntfscp has to be started as root. capability dac_read_search, - @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**, @{HOME}/@{XDG_DESKTOP_DIR}/ r, - @{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{user_download_dirs}/ r, + @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 9640ce9a..3b35e019 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,6 +10,7 @@ include profile nvtop @{exec_path} { include include + include include include @@ -25,6 +26,7 @@ profile nvtop @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, include if exists diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 9ad55666..75d4cbc7 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/obconf profile obconf @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile obconf @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index 3bc0b3ac..8e134416 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} { owner @{HOME}/ r, owner @{HOME}/**/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/**/ r, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/**/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 40209d49..eeb46bdf 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -70,9 +70,9 @@ profile parted @{exec_path} { # file_inherit include # lots of files in this abstraction get inherited owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, } diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 8455fa74..b701b02b 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -56,7 +56,7 @@ profile pass @{exec_path} { /usr/share/terminfo/x/xterm-256color r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @@ -84,7 +84,7 @@ profile pass @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.password-store/ r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r, + owner @{user_projects_dirs}/**/*-store/ r, owner @{user_config_dirs}/password-store/ r, owner @{user_cache_dirs}/vim/{,**} rw, @@ -118,8 +118,8 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/ rw, owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**, + owner @{user_projects_dirs}/**/*-store/ rw, + owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/password-store/ rw, owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 55418bae..c02d9d37 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -27,7 +27,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /tmp/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 44e9dea5..9b9663e3 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/passwd profile passwd @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b754183e..18ac7aa7 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,30 +11,41 @@ include profile pkexec @{exec_path} flags=(complain) { include include - include - include include + include + include + include signal (send) set=(term, kill) peer=polkit-agent-helper, - capability sys_ptrace, capability audit_write, capability dac_read_search, - - # gdbus - capability setgid, - # gmain - capability setuid, - - # Needed? - deny capability sys_nice, + capability setgid, # gdbus + capability setuid, # gmain + capability sys_ptrace, + audit deny capability sys_nice, ptrace (read), network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization}, + @{exec_path} mr, + # Apps to be run via pkexec + /{usr/,}{s,}bin/* rPUx, + /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-gtk rPx, + /etc/shells r, /etc/environment r, /etc/default/locale r, @@ -42,13 +54,6 @@ profile pkexec @{exec_path} flags=(complain) { @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, - # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/update-notifier/package-system-locked rPx, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index ebc0366e..fb894967 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,11 +10,30 @@ include @{exec_path} = /{usr/,}bin/pkttyagent profile pkttyagent @{exec_path} { include + include + include capability sys_nice, + capability audit_write, ptrace (read), - signal (receive), + signal (send,receive), + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=RegisterAuthenticationAgentWithOptions, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, @{exec_path} mr, @@ -22,4 +42,4 @@ profile pkttyagent @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index c2cebc60..3ec18665 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/power-profiles-daemon profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, @@ -16,6 +17,29 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member={GetAll,Set}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus bind bus=system + name=net.hadess.PowerProfiles, + @{exec_path} mr, /var/lib/power-profiles-daemon/{,**} rw, @@ -30,6 +54,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw, + @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index 3f524288..90ec3046 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -52,7 +52,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/tty/drivers r, @{PROC}/uptime r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree new file mode 100644 index 00000000..a8da6399 --- /dev/null +++ b/apparmor.d/profiles-m-r/pstree @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}bin/pstree +profile pstree @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/cmdline r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index e2f983bf..b6af6191 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pulseeffects profile pulseeffects @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile pulseeffects @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 34780b69..f6d1e7c5 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -24,7 +24,5 @@ profile pwck @{exec_path} { /etc/shadow.[0-9]* rw, /etc/shadow.lock wl, - @{run}/systemd/userdb/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a96663ec..8c51e9c9 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent - @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include @@ -134,10 +132,8 @@ profile qbittorrent @{exec_path} { /usr/share/qt5ct/** r, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, # GeoIP settings /usr/share/GeoIP/GeoIP.dat r, @@ -228,9 +224,9 @@ profile qbittorrent @{exec_path} { owner @{run}/user/@{uid}/ r, # file_inherit - owner @{MOUNTS}/*/torrent/** r, - owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw, - owner "@{MOUNTS}/*/torrent/**.!qB" rw, + owner @{MOUNTS}/torrent/** r, + owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw, + owner "@{MOUNTS}/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, @@ -265,7 +261,7 @@ profile qbittorrent @{exec_path} { owner /tmp/tmp* rw, # file_inherit - owner @{MOUNTS}/*/torrent/** r, + owner @{MOUNTS}/torrent/** r, deny /dev/dri/card[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index defec22b..38fd8120 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent - @{exec_path} = /{usr/,}bin/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include @@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} { owner @{user_cache_dirs}/qBittorrent/{,**} rw, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, /dev/disk/by-label/ r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 77c49dd3..9c2550a9 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -10,8 +10,18 @@ include profile qemu-ga @{exec_path} { include + capability mknod, + capability net_admin, + capability sys_ptrace, + + ptrace peer=unconfined, + @{exec_path} mr, + /{usr/,}bin/systemctl rix, + + /etc/qemu/qemu-ga.conf r, + owner @{run}/qga.state* rw, /dev/vport[0-9]*p[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index e143633a..4bb66130 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -74,11 +74,10 @@ profile qnapi @{exec_path} { # Movie dirs @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/** r, - owner @{MOUNTS}/*/**#[0-9]*[0-9] rw, - owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r, - owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9], + owner @{MOUNTS}/** r, + owner @{MOUNTS}/**#[0-9]*[0-9] rw, + owner @{MOUNTS}/**.@{qnapi_vid_ext} r, + owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9], owner @{HOME}/ r, owner @{user_config_dirs}/qnapi.ini rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index c8a3bcaa..34323ba8 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -34,7 +34,7 @@ profile qtox @{exec_path} { # For importing old profile owner @{HOME}/**.tox r, - owner @{MOUNTS}/*/**.tox r, + owner @{MOUNTS}/**.tox r, owner @{HOME}/ r, owner @{user_cache_dirs}/qTox/ rw, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 376a23a4..c33b3cd1 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -24,9 +24,9 @@ profile resize2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 4fef8e50..2cd837cd 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/rngd +@{exec_path} = /{usr/,}{s,}bin/rngd profile rngd @{exec_path} { include include @@ -14,18 +15,20 @@ profile rngd @{exec_path} { @{exec_path} mr, + capability dac_read_search, capability sys_admin, capability sys_nice, - capability dac_read_search, network netlink raw, - /etc/opensc.conf r, /etc/conf.d/rngd r, + /etc/opensc.conf r, /etc/machine-id r, /var/lib/dbus/machine-id r, + @{sys}/devices/virtual/misc/hw_random/rng_available r, + @{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/write_wakeup_threshold rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 479f04d8..10fc5bd9 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -16,19 +16,12 @@ profile rsyslogd @{exec_path} { include include - # Needed to remove the following error: - # rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. + capability chown, # For creating new log files and changing their owner/group + capability net_admin, # For remote logs + capability setgid, # For downgrading privileges + capability setuid, capability syslog, - - # For remote logs - capability net_admin, - - # for creating new log files and changing their owner/group - capability chown, - - # Needed? - deny capability sys_nice, - + @{exec_path} mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, @@ -41,6 +34,7 @@ profile rsyslogd @{exec_path} { owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/systemd/journal/syslog w, + @{run}/systemd/notify rw, # log files and devices /var/log/** rw, @@ -50,5 +44,11 @@ profile rsyslogd @{exec_path} { /etc/CA/*.crt r, /etc/CA/*.key r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + @{run}/systemd/notify w, + include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 4b4c1689..82302316 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} = @{libexec}/rtkit-daemon profile rtkit-daemon @{exec_path} { include + include include capability dac_read_search, @@ -20,6 +21,25 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9], + + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.RealtimeKit[0-9], + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index ee622d5a..be940b18 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -14,58 +14,136 @@ profile run-parts @{exec_path} { @{exec_path} mr, - # This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified + /usr/share/update-notifier/notify-reboot-required rPx, + + # Crontrab + /etc/cron.{hourly,daily,weekly,monthly}/ r, + /etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apport rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx, + /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, + /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, + /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, + /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, + /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx, + /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, + /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/man-db rPx, + /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, + /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, + /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx, + + # Network + /etc/network/if-down.d/ r, + /etc/network/if-down.d/openvpn rPUx, + /etc/network/if-down.d/resolvconf rPUx, + /etc/network/if-down.d/wpasupplicant rPUx, + + /etc/hostapd/ifupdown.sh rPUx, + /etc/macchanger/ifupdown.sh rPUx, + /etc/wpa_supplicant/ifupdown.sh rPUx, + + /etc/network/if-post-down.d/ r, + /etc/network/if-post-down.d/bridge rPUx, + /etc/network/if-post-down.d/chrony rPUx, + /etc/network/if-post-down.d/hostapd rPUx, + /etc/network/if-post-down.d/ifenslave rPUx, + /etc/network/if-post-down.d/macchanger rPUx, + /etc/network/if-post-down.d/wireless-tools rPUx, + /etc/network/if-post-down.d/wpasupplicant rPUx, + + /etc/network/if-pre-up.d/ r, + /etc/network/if-pre-up.d/bridge rPUx, + /etc/network/if-pre-up.d/ethtool rPUx, + /etc/network/if-pre-up.d/hostapd rPUx, + /etc/network/if-pre-up.d/ifenslave rPUx, + /etc/network/if-pre-up.d/macchanger rPUx, + /etc/network/if-pre-up.d/random-secret rPUx, + /etc/network/if-pre-up.d/wireless-tools rPUx, + /etc/network/if-pre-up.d/wpasupplicant rPUx, + + /etc/network/if-up.d/ r, + /etc/network/if-up.d/*resolvconf rPUx, + /etc/network/if-up.d/avahi-autoipd rPUx, + /etc/network/if-up.d/chrony rPUx, + /etc/network/if-up.d/ethtool rPUx, + /etc/network/if-up.d/ifenslave rPUx, + /etc/network/if-up.d/openvpn rPUx, + /etc/network/if-up.d/postfix rPUx, + /etc/network/if-up.d/ubuntu-fan rPx, + /etc/network/if-up.d/wpasupplicant rPUx, + + # Motd /etc/update-motd.d/ r, /etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd, - # The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages + # Kernel /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel-pre-post, + /etc/kernel/header_postinst.d/dkms rCx -> kernel, /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post, - /etc/kernel/postinst.d/dkms rCx -> kernel-pre-post, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel-pre-post, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel-pre-post, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel-pre-post, + /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, + /etc/kernel/postinst.d/dkms rCx -> kernel, + /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, + /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, + /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel-pre-post, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel-pre-post, + /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, + /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel-pre-post, + /etc/kernel/preinst.d/intel-microcode rCx -> kernel, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel-pre-post, - - /etc/molly-guard/run.d/ r, - /etc/cron.hourly/ r, + /etc/kernel/prerm.d/dkms rCx -> kernel, owner /tmp/#[0-9]*[0-9] rw, - + owner /tmp/file* rw, profile motd { include - / r, - /etc/update-motd.d/[0-9]*-[a-z]* r, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/find rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, /{usr/,}bin/tr rix, /{usr/,}bin/uname rix, + /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd rPx, + /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx, + /{usr/,}lib/update-notifier/update-motd-reboot-required rix, /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + / r, + /etc/lsb-release r, + /etc/update-motd.d/[0-9]*-[a-z]* r, + + /var/lib/update-notifier/updates-available r, + } - profile kernel-pre-post { + profile kernel { include include - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + capability sys_module, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, @@ -85,17 +163,20 @@ profile run-parts @{exec_path} { /{usr/,}bin/uname rix, /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}{s,}bin/dkms rPx, + /{usr/,}{s,}bin/update-grub rPUx, + /{usr/,}{s,}bin/update-initramfs rPx, /{usr/,}bin/apt-config rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/systemd-detect-virt rPx, /{usr/,}lib/dkms/dkms_autoinstaller rPx, - /{usr/,}sbin/dkms rPx, - /{usr/,}sbin/update-grub rPUx, - /{usr/,}sbin/update-initramfs rPx, /{usr/,}lib/modules/*/updates/ w, /{usr/,}lib/modules/*/updates/dkms/ w, + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + # For shell pwd / r, /boot/ r, @@ -105,7 +186,8 @@ profile run-parts @{exec_path} { /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - @{run}/reboot-required.pkgs w, + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, @{PROC}/devices r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index fbd72393..81d787ed 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -19,8 +19,8 @@ profile s3fs @{exec_path} { network inet6 stream, network netlink raw, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, @{exec_path} mr, @@ -31,8 +31,8 @@ profile s3fs @{exec_path} { owner @{HOME}/.passwd-s3fs r, + owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/*/ r, owner /tmp/* rw, /dev/fuse rw, @@ -50,14 +50,14 @@ profile s3fs @{exec_path} { /etc/fuse.conf r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner /tmp/s3fstmp.* rw, diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm index 0968089d..6a600567 100644 --- a/apparmor.d/profiles-s-z/sddm +++ b/apparmor.d/profiles-s-z/sddm @@ -157,7 +157,7 @@ profile sddm @{exec_path} { # Run SDDM on a specific TTY /dev/tty[0-9]* rw, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, profile sddm-scripts { diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 2ee51148..528944ec 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -27,6 +27,7 @@ profile sensors @{exec_path} { @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r, @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/name r, + @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r, @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 60224b6c..75622a31 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -24,9 +24,9 @@ profile sfdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index f9241e8b..d844317f 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -24,13 +24,13 @@ profile sgdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index a99796c9..ac1aeb0d 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,6 +18,7 @@ profile smartd @{exec_path} { # Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf # Device: /dev/disk/by-id/ata-*, not available capability sys_rawio, + capability sys_admin, # Needed? deny capability net_admin, @@ -39,5 +41,7 @@ profile smartd @{exec_path} { /dev/ r, @{PROC}/devices r, + /run/systemd/notify rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap new file mode 100644 index 00000000..38567f5c --- /dev/null +++ b/apparmor.d/profiles-s-z/snap @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap +profile snap @{exec_path} { + include + include + include + include + + @{exec_path} mrix, + + /snap/{,**} rw, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd r, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk,# + + owner @{HOME}/snap/{,**} rw, + + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + + @{run}/snapd.socket rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper similarity index 100% rename from apparmor.d/groups/ubuntu/snap-device-helper rename to apparmor.d/profiles-s-z/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns new file mode 100644 index 00000000..31d36f25 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns +profile snap-discard-ns @{exec_path} { + include + + capability setgid, + + @{exec_path} mr, + + / r, + @{run}/ r, + @{run}/snapd/ r, + @{run}/snapd/lock/ r, + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/ r, + @{run}/snapd/ns/* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure new file mode 100644 index 00000000..4f6a5a97 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-failure @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-failure +profile snap-failure @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp new file mode 100644 index 00000000..767c76a4 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp +profile snap-seccomp @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp r, + + /var/lib/snapd/seccomp/bpf/{,**} rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + owner @{PROC}/@{pids}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns new file mode 100644 index 00000000..3e4fd84f --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns +profile snap-update-ns @{exec_path} { + include + + capability sys_admin, + capability sys_chroot, + + @{exec_path} mr, + + /var/lib/snapd/mount/{,*} r, + + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/{,**} rw, + + @{sys}/fs/cgroup/{,**/} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/version r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd new file mode 100644 index 00000000..b7a491c9 --- /dev/null +++ b/apparmor.d/profiles-s-z/snapd @@ -0,0 +1,140 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd +profile snapd @{exec_path} { + include + include + include + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, + umount /tmp/syscheck-mountpoint-[0-9]*/, + umount /snap/*/[0-9]*/, + + ptrace (read) peer=unconfined, + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + + @{exec_path} mr, + + /{usr/,}{s,}bin/apparmor_parser rPx, + /{usr/,}{s,}bin/runuser rCx -> runuser, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mount rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/systemctl rix, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/tar rix, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/umount rix, + /{usr/,}bin/unsquashfs rix, + /{usr/,}bin/update-desktop-database rPx, + + /snap/snapd/[0-9]*/lib/@{multiarch}/** mr, + /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so rix, + /snap/snapd/[0-9]*/usr/bin/snap rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, + /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? + + /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/services/*snap* r, + /usr/share/polkit-1/actions/{,**/} r, + + /etc/dbus-1/system.d/{,**/} r, + /etc/fstab r, + /etc/modprobe.d/{,**/} r, + /etc/modules-load.d/{,**/} r, + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} r, + /etc/systemd/user/snap* rw, + /etc/udev/rules.d/{,*snap*} rw, + + /snap/{,**} rw, + /var/cache/snapd/{,**} rwk, + /var/lib/snapd/{,**} rwk, + /var/snap/{,**} rw, + + /var/cache/apparmor/{,*/} r, + /var/cache/apparmor/*/snap* rw, + + /tmp/ r, + /tmp/syscheck-mountpoint-[0-9]*/{,**} rw, + /tmp/syscheck-squashfs-[0-9]* rw, + /tmp/read-file[0-9]*/{,**} rw, + + owner @{HOME}/ r, + owner @{HOME}/snap/{,**} rw, + + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, + + owner @{run}/user/{,@{uid}/} r, + owner @{run}/user/snap.*/{,**} rw, + + @{run}/snapd-snap.socket rw, + @{run}/snapd.socket rw, + @{run}/snapd/lock/core[0-9]*.lock rwk, + @{run}/systemd/notify rw, + @{run}/systemd/private rw, + + @{sys}/fs/cgroup/{,*/} r, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + @{sys}/kernel/security/apparmor/profiles r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/stat r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + /dev/loop-control rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5ff0cce5..b45d6d25 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -9,6 +9,7 @@ include @{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} profile spectre-meltdown-checker @{exec_path} { include + include # Needed to read the /dev/cpu/[0-9]*/msr device capability sys_rawio, @@ -56,11 +57,14 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}{s,}bin/iucode_tool rix, + /{usr/,}{s,}bin/rdmsr rix, /{usr/,}bin/dmesg rix, - /{usr/,}bin/mount rix, + /{usr/,}{s,}bin/mount rix, /{usr/,}bin/find rix, /{usr/,}bin/xargs rix, /{usr/,}bin/readlink rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/date rix, /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/ccache rCx -> ccache, @@ -71,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, - owner /tmp/intelfw-*/ rw, - owner /tmp/intelfw-*/fw.zip rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, + owner /tmp/{,smc-}intelfw-*/ rw, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, - owner @{exec_path} w, /tmp/ r, owner /tmp/{config,kernel}-* rw, @@ -99,8 +102,8 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/modules r, # find and denoise - @{PROC}/@{pid}/{status,exe} r, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, @{PROC}/*/ r, /var/lib/dbus/machine-id r, @@ -110,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} { /root/ r, /etc/ r, - profile ccache { include @@ -124,10 +126,12 @@ profile spectre-meltdown-checker @{exec_path} { /etc/debian_version r, + include if exists } profile pgrep { include + include /{usr/,}bin/pgrep mr, @@ -137,6 +141,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, + include if exists } profile mcedb { @@ -146,22 +151,33 @@ profile spectre-meltdown-checker @{exec_path} { include include + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + /{usr/,}bin/wget mr, /{usr/,}bin/sqlite3 mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/mcedb-* rwk, - owner /tmp/intelfw-*/fw.zip rw, + owner /tmp/{,smc-}mcedb-* rwk, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, + include if exists } profile kmod { include + include capability sys_module, @@ -175,6 +191,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/cmdline r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 99757736..17d71d8b 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,17 +10,18 @@ include profile spice-vdagent @{exec_path} { include include + include + include include + include @{exec_path} mr, - /etc/machine-id r, /etc/pipewire/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - owner @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/pci[0-9]*/**/{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 0af212c2..899c68c7 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,17 +6,26 @@ abi , include -@{exec_path} = /{usr/,}bin/spice-vdagentd -profile spice-vdagentd @{exec_path} { +@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd +profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, + dbus receive + bus=system + path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=Unlock, + @{exec_path} mr, + owner @{run}/spice-vdagentd/spice-vdagent-sock r, owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, + @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, @@ -25,4 +34,4 @@ profile spice-vdagentd @{exec_path} { /dev/vport[0-9]*p[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index ee4c8dea..27b390de 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/ss profile ss @{exec_path} { include + include include capability net_admin, @@ -18,7 +19,7 @@ profile ss @{exec_path} { network netlink raw, - @{exec_path} r, + @{exec_path} mr, /etc/iproute2/{,**} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 78d88b51..9d04457b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ - @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { include @@ -46,11 +44,8 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, # Media library - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # Playlists owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 7e462e94..6b88c2bd 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ - @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { include @@ -21,8 +19,8 @@ profile strawberry-tagreader @{exec_path} { @{exec_path} mr, # Media library - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 19d1ec1c..114f2f13 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,76 +10,57 @@ include @{exec_path} = /{usr/,}bin/su profile su @{exec_path} { include + include include include + include include include # include capability audit_write, + capability chown, # pseudo-terminal + capability dac_read_search, capability setgid, capability setuid, - capability dac_read_search, capability sys_resource, + # No clear purpose, deny until needed - deny capability net_admin, - #audit deny capability net_bind_service, + audit deny capability net_admin, + audit deny capability net_bind_service, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), signal (receive) set=(cont,hup) peer=sudo, - # unknown, needs to be cleared up; TODO + unix (bind) type=dgram, + network netlink raw, + dbus (send) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession}, + @{exec_path} mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, - - # Fake shells to politely refuse a login - #/{usr/,}{s,}bin/nologin rpux, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}{s,}bin/nologin rPx, /etc/default/locale r, /etc/environment r, /etc/security/limits.d/ r, /etc/shells r, - @{PROC}/1/limits r, owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - - # For pam_securetty - @{PROC}/cmdline r, + @{PROC}/1/limits r, + @{PROC}/cmdline r, + @{sys}/devices/virtual/tty/console/active r, - # pseudo-terminal - capability chown, - /dev/{,pts/}ptmx rw, - - @{run}/dbus/system_bus_socket rw, - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.Machine rw, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, - - dbus (send) - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus (send) - bus=system - path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CreateSession,ReleaseSession}, - - unix (bind) type=dgram, - /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c5a7aed5..8c090bdb 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only @@ -7,13 +7,13 @@ abi , include -@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin - @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include + include include include + include include include # include @@ -29,60 +29,60 @@ profile sudo @{exec_path} { capability sys_ptrace, capability sys_resource, + network inet dgram, + network inet6 dgram, network netlink raw, # PAM - # DNS query? -# network inet dgram, -# network inet6 dgram, ptrace (read), - signal, + + signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, - @{libexec}/sudo/** mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, + /run/ r, - @{PATH}/[a-z0-9]* rPUx, - /{usr/,}lib/cockpit/cockpit-askpass rPUx, - /{usr/,}lib/molly-guard/molly-guard rPx, + @{libexec}/sudo/** mr, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}lib/cockpit/cockpit-askpass rPx, + /{usr/,}lib/molly-guard/molly-guard rPx, + /etc/default/locale r, /etc/environment r, /etc/machine-id r, /etc/security/limits.d/{,*} r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, - /etc/default/locale r, - /var/log/sudo.log wk, + /var/log/sudo.log wk, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + owner @{HOME}/.xsession-errors w, # For timestampdir owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, + @{run}/resolvconf/resolv.conf r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, + @{PROC}/sys/kernel/seccomp/actions_avail r, - # File Inherit owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{run}/resolvconf/resolv.conf r, - - /dev/ r, # interactive login - /dev/ptmx rw, + /dev/ r, # interactive login + /dev/ptmx rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index 05319928..dccd51f0 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -15,6 +15,8 @@ profile sulogin @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rux, + /etc/shadow r, /dev/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 6830ff9b..bb1cfc9e 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -7,21 +7,37 @@ abi , include @{exec_path} = @{libexec}/switcheroo-control -profile switcheroo-control @{exec_path} { +profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, network netlink raw, + dbus receive bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=net.hadess.SwitcherooControl, + @{exec_path} mr, @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, + + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/**/uevent r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, + @{sys}/devices/pci[0-9]*/**/uevent r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl new file mode 100644 index 00000000..75660e85 --- /dev/null +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/swtpm_ioctl +profile swtpm_ioctl @{exec_path} { + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 55251fee..04bfaab9 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -10,7 +10,6 @@ include profile sysctl @{exec_path} { include - capability mac_admin, capability net_admin, capability sys_admin, capability sys_resource, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 1d798642..b9c388c4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,7 +11,9 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include - include + include + include + include include include include @@ -22,6 +24,19 @@ profile system-config-printer @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + network netlink raw, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mrix, @@ -33,17 +48,22 @@ profile system-config-printer @{exec_path} flags=(complain) { /usr/share/cups/data/testprint r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/system-config-printer/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/cups/cupsd.conf r, /etc/cupshelpers/preferreddrivers.xml r, /etc/fstab r, /etc/papersize r, + /var/lib/snapd/desktop/icons/ r, + owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-* rw, + @{run}/cups/cups.sock rw, + owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/system_tor b/apparmor.d/profiles-s-z/system_tor deleted file mode 100644 index dfea51de..00000000 --- a/apparmor.d/profiles-s-z/system_tor +++ /dev/null @@ -1,25 +0,0 @@ -# vim:syntax=apparmor -include - -profile system_tor flags=(attach_disconnected) { - include - include - - owner /var/lib/tor/** rwk, - owner /var/lib/tor/ r, - owner /var/log/tor/* w, - - # During startup, tor (as root) tries to open various things such as - # directories via check_private_dir(). Let it. - /var/lib/tor/** r, - - /{,var/}run/tor/ r, - /{,var/}run/tor/control w, - /{,var/}run/tor/socks w, - /{,var/}run/tor/tor.pid w, - /{,var/}run/tor/control.authcookie w, - /{,var/}run/tor/control.authcookie.tmp rw, - /{,var/}run/systemd/notify w, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index a4ed8017..5bf27dac 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,14 @@ include @{exec_path} = /{usr/,}sbin/thermald profile thermald @{exec_path} { include + include capability sys_boot, + dbus (bind) + bus=system + name=org.freedesktop.thermald, + @{exec_path} mr, owner @{run}/thermald/ rw, @@ -50,11 +56,11 @@ profile thermald @{exec_path} { @{sys}/devices/virtual/powercap/intel-rapl/ r, @{sys}/devices/virtual/powercap/intel-rapl/**/name r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r, include if exists } diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index d31f30dd..0b403aed 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -11,6 +11,7 @@ include @{exec_path} = /{usr/,}bin/top profile top @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index c2d4834c..37637812 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = /media/*/torrent - @{exec_path} = /{usr/,}bin/transmission-qt profile transmission-qt @{exec_path} { include @@ -36,10 +34,8 @@ profile transmission-qt @{exec_path} { @{exec_path} mr, # Torrent files - /media/ r, - owner /media/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, owner @{HOME}/.config/transmission/ rw, owner @{HOME}/.config/transmission/** rwk, diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 50f7f5de..120be844 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -29,9 +29,9 @@ profile tune2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} rw, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 5a557c78..26ce8ce2 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,25 +15,26 @@ profile ucf @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mkdir rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, - /{usr/,}bin/id rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/cp rix, /{usr/,}bin/dirname rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/seq rix, /{usr/,}bin/stat rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which{,.debianutils} rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 593d9923..009a5c1f 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/udiskie profile udiskie @{exec_path} { include + include include include include @@ -37,10 +38,6 @@ profile udiskie @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b881f383..552227bc 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -11,8 +11,10 @@ include @{exec_path} += @{libexec}/udisks2/udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include + include include include + include capability chown, capability dac_override, @@ -25,6 +27,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus*,UDisks2*}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.UDisks2, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -44,26 +72,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/systemd-escape rPx, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow unmounting + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, umount /media/cdrom[0-9]/, # Be able to create/delete dirs for removable media + @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - @{MOUNTS}/*/*/ rw, /media/cdrom[0-9]/ rw, # Udisks2 config files diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 109a4eb4..b30fb5eb 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -7,10 +7,11 @@ abi , include -@{exec_path} = /{usr/,}bin/umount +@{exec_path} = /{usr/,}{s,}bin/umount profile umount @{exec_path} flags=(complain) { include include + include include capability chown, @@ -26,8 +27,8 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}sbin/umount.* rPx, - /{usr/,}sbin/mount.* rPx, + /{usr/,}{s,}bin/umount.* rPx, + /{usr/,}{s,}bin/mount.* rPx, # Mount points @{HOME}/ r, @@ -44,8 +45,6 @@ profile umount @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, - @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, - owner @{run}/mount/ rw, owner @{run}/mount/utab.lock wk, @{run}/mount/utab{,.*} rw, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 89575a53..3647063b 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,33 +9,34 @@ include @{exec_path} = /usr/share/command-not-found/cnf-update-db @{exec_path} += /{usr/,}{s,}bin/update-command-not-found +@{exec_path} += /{usr/,}lib/cnf-update-db profile update-command-not-found @{exec_path} { include include + include include - #capability sys_tty_config, - @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + /{usr/,}lib/ r, - /{usr/,}lib/apt/apt-helper rix, - - /{usr/,}bin/dpkg rPx -> child-dpkg, - - /var/lib/command-not-found/ r, - /var/lib/command-not-found/commands.db* rwk, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}lib/apt/apt-helper rix, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, /usr/share/command-not-found/{,**} r, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, + /var/lib/command-not-found/ r, + /var/lib/command-not-found/commands.db* rwk, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_Contents-* r, + /var/lib/apt/lists/*_Commands-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index 2ce034b7..32e1915a 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/uptime profile uptime @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 7b12a972..271ebfb9 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -9,8 +9,12 @@ include @{exec_path} = /{usr/,}bin/usb-devices profile usb-devices @{exec_path} { include + include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/usr.sbin.cupsd b/apparmor.d/profiles-s-z/usr.sbin.cupsd deleted file mode 100644 index 975e8146..00000000 --- a/apparmor.d/profiles-s-z/usr.sbin.cupsd +++ /dev/null @@ -1,222 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2007 Martin Pitt -# SPDX-License-Identifier: GPL-2.0-only - -#include - -/usr/sbin/cupsd flags=(attach_disconnected) { - #include - #include - #include - #include - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability kill, - capability net_bind_service, - capability setgid, - capability setuid, - capability audit_write, - capability wake_alarm, - deny capability block_suspend, - - # noisy - deny signal (send) set=("term") peer=unconfined, - - # nasty, but we limit file access pretty tightly, and cups chowns a - # lot of files to 'lp' which it cannot read/write afterwards any - # more - capability dac_override, - capability dac_read_search, - - # the bluetooth backend needs this - network bluetooth, - - # the dnssd backend uses those - network x25 seqpacket, - network ax25 dgram, - network netrom seqpacket, - network rose dgram, - network ipx dgram, - network appletalk dgram, - network econet dgram, - network ash dgram, - - # CUPS is of systemd service type "notify" now, meaning that cupsd notifies - # systemd when it is up and running, give CUPS access to systemd's - # notification socket - @{run}/systemd/notify w, - - /{usr/,}bin/bash ixr, - /{usr/,}bin/dash ixr, - /{usr/,}bin/hostname ixr, - /dev/lp* rw, - deny /dev/tty rw, # silence noise - /dev/ttyS* rw, - /dev/ttyUSB* rw, - /dev/usb/lp* rw, - /dev/bus/usb/ r, - /dev/bus/usb/** rw, - /dev/parport* rw, - /etc/cups/ rw, - /etc/cups/** rw, - /etc/cups/interfaces/* ixrw, - /etc/foomatic/* r, - /etc/gai.conf r, - /etc/papersize r, - /etc/pnm2ppa.conf r, - /etc/printcap rwl, - /etc/ssl/** r, - /etc/letsencrypt/archive/** r, - @{PROC}/net/ r, - @{PROC}/net/* r, - @{PROC}/sys/dev/parport/** r, - @{PROC}/*/net/ r, - @{PROC}/*/net/** r, - @{PROC}/*/auxv r, - @{PROC}/sys/crypto/** r, - /sys/** r, - /usr/bin/* ixr, - /usr/sbin/* ixr, - /{usr/,}bin/* ixr, - /{usr/,}{s,}bin/* ixr, - /usr/lib/** rm, - - # backends which come with CUPS can be confined - /usr/lib/cups/backend/bluetooth ixr, - /usr/lib/cups/backend/dnssd ixr, - /usr/lib/cups/backend/http ixr, - /usr/lib/cups/backend/ipp ixr, - /usr/lib/cups/backend/lpd ixr, - /usr/lib/cups/backend/mdns ixr, - /usr/lib/cups/backend/parallel ixr, - /usr/lib/cups/backend/serial ixr, - /usr/lib/cups/backend/snmp ixr, - /usr/lib/cups/backend/socket ixr, - /usr/lib/cups/backend/usb ixr, - - # we treat cups-pdf specially, since it needs to write into /home - # and thus needs extra paranoia - /usr/lib/cups/backend/cups-pdf Px, - - # allow communicating with cups-pdf via Unix sockets - unix peer=(label=/usr/lib/cups/backend/cups-pdf), - - # third party backends get no restrictions as they often need high - # privileges and this is beyond our control - /usr/lib/cups/backend/* Cx -> third_party, - - /usr/lib/cups/cgi-bin/* ixr, - /usr/lib/cups/daemon/* ixr, - /usr/lib/cups/monitor/* ixr, - /usr/lib/cups/notifier/* ixr, - # filters and drivers (PPD generators) are always run as non-root, - # and there are a lot of third-party drivers which we cannot predict - /usr/lib/cups/filter/** Cxr -> third_party, - /usr/lib/cups/driver/* Cxr -> third_party, - /usr/local/** rm, - /usr/local/lib/cups/** rix, - /usr/share/** r, - /{,var/}run/** rm, - /{,var/}run/avahi-daemon/socket rw, - deny /{,var/}run/samba/ rw, - /{,var/}run/samba/** rw, - /var/cache/samba/*.tdb r, - /var/{cache,lib}/samba/printing/printers.tdb r, - /{,var/}run/cups/ rw, - /{,var/}run/cups/** rw, - /var/cache/cups/ rw, - /var/cache/cups/** rwk, - /var/log/cups/ rw, - /var/log/cups/* rw, - /var/spool/cups/ rw, - /var/spool/cups/** rw, - - # third-party printer drivers; no known structure here - /opt/** rix, - - # FIXME: no policy ATM for hplip and Brother drivers - /usr/bin/hpijs Cx -> third_party, - /usr/Brother/** Cx -> third_party, - - # Kerberos authentication - /etc/krb5.conf r, - deny /etc/krb5.conf w, - /etc/krb5.keytab rk, - /etc/cups/krb5.keytab rwk, - /tmp/krb5cc* k, - - # likewise authentication - /etc/likewise r, - /etc/likewise/* r, - - # silence noise - deny /etc/udev/udev.conf r, - - signal peer=/usr/sbin/cupsd//third_party, - unix peer=(label=/usr/sbin/cupsd//third_party), - profile third_party flags=(attach_disconnected) { - # third party backends, filters, and drivers get relatively no restrictions - # as they often need high privileges, are unpredictable or otherwise beyond - # our control - file, - capability, - audit deny capability mac_admin, - network, - dbus, - signal, - ptrace, - unix, - } - - include if exists -} - -# separate profile since this needs to write into /home -/usr/lib/cups/backend/cups-pdf { - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - # unfortunate, but required for when $HOME is 700 - capability dac_override, - capability dac_read_search, - - # allow communicating with cupsd via Unix sockets - unix peer=(label=/usr/sbin/cupsd), - - @{PROC}/*/auxv r, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/bash ixr, - /{usr/,}bin/cp ixr, - /etc/papersize r, - /etc/cups/cups-pdf.conf r, - /etc/cups/ppd/*.ppd r, - /usr/bin/gs ixr, - /usr/lib/cups/backend/cups-pdf mr, - /usr/lib/ghostscript/** mr, - /usr/share/** r, - /var/log/cups/cups-pdf*_log w, - /var/spool/cups/** r, - /var/spool/cups-pdf/** rw, - - # allow read and write on almost anything in @{HOME} (lenient, but - # private-files-strict is in effect), to support customized "Out" - # setting in cups-pdf.conf (Debian#940578) - #include - @{HOME}/[^.]*/{,**/} rw, - @{HOME}/[^.]*/** rw, -} diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index a758d8d0..6b7244bd 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/utox profile utox @{exec_path} { include + include include include include @@ -39,11 +40,6 @@ profile utox @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7bc9bd7b..377581d2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/vidcutter profile vidcutter @{exec_path} { include + include include include include @@ -91,10 +92,6 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d197e1a3..10475656 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,7 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -73,11 +73,10 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # For disk images @{MOUNTS}/ r, - @{MOUNTS}/*/ r, @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, # System VM images /var/lib/libvirt/images/{,**} rw, @@ -85,11 +84,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # User VM images owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, - owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, @{run}/udev/data/c51[0-9]:[0-9]* r, diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 230c7d65..9c12e5cf 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/w profile w @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 75eec8ad..59b0cab4 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -45,6 +45,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r, /dev/snd/ r, /dev/video[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ab75f5d5..93e75bf2 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,6 +25,17 @@ profile wpa-supplicant @{exec_path} { network packet raw, network packet dgram, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=fi.w1.wpa_supplicant[0-9], + @{exec_path} mr, @{HOME}/.cat_installer/*.pem r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 64447750..05f7a3db 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/xarchiver profile xarchiver @{exec_path} { include + include include include include @@ -42,10 +43,6 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed new file mode 100644 index 00000000..a37053b9 --- /dev/null +++ b/apparmor.d/profiles-s-z/zed @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zed +profile zed @{exec_path} { + include + include + + capability sys_admin, + + network netlink raw, + + @{exec_path} mr, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/realpath rix, + /{usr/,}bin/sort rix, + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}{local/,}lib/zfs-linux/zed.d/*.sh rix, + + /etc/zfs/zed.d/{,*} r, + /etc/zfs/zfs-list.cache/{,*} rwk, + + @{run}/zed.pid rwkl, + @{run}/zed.state rwkl, + @{run}/zfs-list.cache@* rw, + + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, + + @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..500cfec1 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} { + include + + capability sys_admin, + capability dac_read_search, + + mount fstype=zfs, + umount fstype=zfs, + + @{exec_path} mr, + + /etc/zfs/zfs-list.cache/{,*} rwk, + + @{run}/zfs-list.cache@* rw, + + @{PROC}/@{pids}/mounts r, + @{PROC}/sys/fs/pipe-max-size r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..8fb872dc --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} { + include + include + + capability sys_admin, + + @{exec_path} rm, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + + /etc/hostid r, + /etc/zfs/*.cache rwk, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, + + @{PROC}/@{pids}/mounts r, + @{PROC}/sys/kernel/spl/hostid r, + + /dev/pts/[0-9]* rw, + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 4c6f55e1..7dd32b0e 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -9,8 +9,14 @@ # Universally unique identifier @{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* -# Common mountpoints -@{MOUNTS}=/media/ @{run}/media /mnt + +# @{MOUNTDIRS} is a space-separated list of where user mount directories +# are stored, for programs that must enumerate all mount directories on a +# system. +@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/ + +# @{MOUNTS} is a space-separated list of all user mounted directories. +@{MOUNTS}=@{MOUNTDIRS}/*/ # Libexec path. Different in some distribution @{libexec}=/{usr/,}lib # Archlinux diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 5a58657e..98a55a7c 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -21,11 +21,13 @@ @{XDG_VIDEOS_DIR}="Videos" # Extra user personal directories -@{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" @{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" @{XDG_VM_DIR}=".vm" +@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" # User personal keyrings @{XDG_SSH_DIR}=".ssh" @@ -50,7 +52,18 @@ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ # Other user directories +@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} +@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} +@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} +@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index a6e61246..aa47d9c0 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -28,9 +28,12 @@ const LogFile = "/var/log/audit/audit.log" // Colors const ( Reset = "\033[0m" + FgGreen = "\033[32m" FgYellow = "\033[33m" FgBlue = "\033[34m" FgMagenta = "\033[35m" + FgCian = "\033[36m" + FgWhite = "\033[37m" BoldRed = "\033[1;31m" BoldGreen = "\033[1;32m" BoldYellow = "\033[1;33m" @@ -86,7 +89,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { log := "" exp := "apparmor=(\"DENIED\"|\"ALLOWED\"|\"AUDIT\")" if profile != "" { - exp = fmt.Sprintf(exp+".* profile=\"%s.*\"", profile) + exp = fmt.Sprintf(exp+".* (profile=\"%s.*\"|label=\"%s.*\")", profile, profile) } isAppArmorLog := regexp.MustCompile(exp) @@ -100,10 +103,12 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { } // Clean logs + regex := regexp.MustCompile(`type=(USER_|)AVC msg=audit(.*): (pid=.*msg='|)apparmor`) + log = regex.ReplaceAllLiteralString(log, "apparmor") regexAppArmorLogs := map[*regexp.Regexp]string{ - regexp.MustCompile(`type=AVC msg=audit(.*): apparmor`): "apparmor", - regexp.MustCompile(` fsuid.*`): "", - regexp.MustCompile(`pid=.* comm`): "comm", + regexp.MustCompile(`(peer_|)pid=[0-9]* `): "", + regexp.MustCompile(` fsuid.*`): "", + regexp.MustCompile(` exe=.*`): "", } for regex, value := range regexAppArmorLogs { log = regex.ReplaceAllLiteralString(log, value) @@ -146,18 +151,28 @@ func (aaLogs AppArmorLogs) String() string { } // Order of impression keys := []string{ - "profile", "operation", "name", "info", "comm", "laddr", - "lport", "faddr", "fport", "family", "sock_type", "protocol", + "profile", "label", // Profile name + "operation", "name", + "mask", "bus", "path", "interface", "member", // dbus + "info", "comm", + "laddr", "lport", "faddr", "fport", "family", "sock_type", "protocol", "requested_mask", "denied_mask", "signal", "peer", // "fsuid", "ouid", "FSUID", "OUID", } // Optional colors template to use colors := map[string]string{ "profile": FgBlue, + "label": FgBlue, "operation": FgYellow, "name": FgMagenta, + "mask": BoldRed, + "bus": FgCian + "bus=", + "path": "path=" + FgWhite, "requested_mask": "requested_mask=" + BoldRed, "denied_mask": "denied_mask=" + BoldRed, + "interface": "interface=" + FgWhite, + "member": "member=" + FgGreen, } + for _, log := range aaLogs { seen := map[string]bool{"apparmor": true} res += state[log["apparmor"]] @@ -174,7 +189,7 @@ func (aaLogs AppArmorLogs) String() string { } for key, value := range log { - if !seen[key] { + if !seen[key] && value != "" { res += " " + key + "=" + toQuote(value) } } diff --git a/configure b/configure index 09aa5957..913517bf 100755 --- a/configure +++ b/configure @@ -5,7 +5,7 @@ set -eu -DISTRIBUTION="$(lsb_release --id --short)" +DISTRIBUTION="${DIST:-$(lsb_release --id --short)}" readonly DISTRIBUTION="${DISTRIBUTION,,}" readonly ROOT=.build @@ -63,15 +63,13 @@ configure() { ;; - debian|ubuntu) - if [[ "$DISTRIBUTION" == "debian" ]]; then - _msg "$DISTRIBUTION does not have etc tunable." - sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global" - + debian|ubuntu|whonix) + if [[ "$DISTRIBUTION" != "ubuntu" ]]; then _msg "$DISTRIBUTION does not support abi 3.0 yet." find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; cp -a dists/debian/abstractions/* $ROOT/apparmor.d/abstractions + cp -a dists/debian/tunables/* $ROOT/apparmor.d/tunables fi _msg "Configure libexec." diff --git a/dists/debian/tunables/etc b/dists/debian/tunables/etc new file mode 100644 index 00000000..8cfbdd40 --- /dev/null +++ b/dists/debian/tunables/etc @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{etc_ro} contains a space-separated list of the system configuration directories. +# Traditionally this means /etc/, but when using a read-only / filesystem and/or +# with the goal of having only user-modified config files in /etc/, directories +# like /usr/etc/ get introduced for storing the default config. + +# @{etc_ro} contains read-only directories with configuration files. +# Do not use @{etc_ro} in rules that allow write access. +@{etc_ro}=/etc/ /usr/etc/ + +# @{etc_rw} contains directories where writing to configuration files is allowed. +@{etc_rw}=/etc/ + +# Also, include files in tunables/etc.d/ for site-specific adjustments to +# @{etc_ro} and @{etc_rw}. +include if exists \ No newline at end of file diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index 095eda15..b659675b 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -17,5 +17,5 @@ dpkg-vendor complain ifup complain macchanger complain run-parts complain -unattended-upgrade complain +unattended-upgrade attach_disconnected,complain unattended-upgrade-shutdown attach_disconnected,complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 26409e02..e1c1e42d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -3,10 +3,12 @@ acpid attach_disconnected,complain agetty complain -apport-checkreports complain +anacron complain atd complain auditctl complain auditd attach_disconnected,complain +augenrules complain +busctl complain cfdisk complain cgdisk complain cockpit-askpass complain @@ -28,6 +30,7 @@ fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain flatpak-session-helper complain +fprintd attach_disconnected,complain fsck-ext4 complain fuse-overlayfs complain fusermount complain @@ -40,12 +43,24 @@ glib-compile-resources complain glib-genmarshal complain glib-gettextize complain glib-mkenums complain +gnome-control-center attach_disconnected,complain +gnome-control-center-goa-helper complain gnome-disk-image-mounter complain gnome-disks complain gnome-music complain gnome-photos-thumbnailer complain +gnome-remote-desktop-daemon complain +gnome-session complain +gnome-session-custom-session complain +gnome-session-inhibit complain +gnome-session-quit complain gnome-shell attach_disconnected,complain +gnome-shell-extension-prefs complain +gnome-shell-extension-tool complain gnome-shell-hotplug-sniffer complain +gnome-shell-perf-helper complain +gnome-shell-perf-tool complain +gnome-shell-portal-helper complain gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain gnome-tweak-tool-lid-inhibitor complain @@ -55,6 +70,7 @@ gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain gvfsd-dav complain +homectl complain hostnamectl complain ibus-engine-table complain ibus-memconf complain @@ -67,33 +83,44 @@ last complain lastlog complain libvirt-dbus complain libvirtd attach_disconnected,complain -livepatch-notification complain locale-gen complain localectl complain login complain +loginctl complain +lvmpolld complain +machinectl complain man complain +mdevctl complain mke2fs complain +ModemManager attach_disconnected,complain molly-guard complain mount complain +mullvad-daemon complain +mullvad-gui complain nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain +networkd-dispatcher complain nfsdcld complain nft complain nmap complain nullmailer-send complain oomctl complain -package-system-locked attach_disconnected,complain -packagekitd complain pass complain pass-import complain +pinentry complain +pinentry-curses complain +pinentry-gnome3 complain pinentry-gtk-2 complain pkttyagent complain plymouth complain plymouth-set-default-theme complain podman attach_disconnected,complain power-profiles-daemon attach_disconnected,complain +prime-switch complain qemu-ga complain +qrencode complain +repo complain resolvconf complain run-parts complain runuser complain @@ -101,14 +128,23 @@ s3fs complain scrcpy complain sftp-server complain slirp4netns attach_disconnected,complain +snap complain +snap-device-helper complain +snap-discard-ns complain +snap-failure complain +snap-seccomp complain +snap-update-ns complain +snapd complain spice-vdagent complain -spice-vdagentd complain +spice-vdagentd attach_disconnected,complain +splunkforwarder complain +ss complain ssh complain sshd attach_disconnected,complain su complain sudo complain sulogin complain -switcheroo-control complain +switcheroo-control attach_disconnected,complain swtpm complain swtpm_ioctl complain swtpm_localca complain @@ -132,6 +168,7 @@ systemd-growfs complain systemd-hibernate-resume complain systemd-homed complain systemd-homework complain +systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain systemd-id128 complain systemd-import complain @@ -141,7 +178,8 @@ systemd-inhibit systemd-journal-gatewayd complain systemd-journal-remote complain systemd-journal-upload complain -systemd-logind complain +systemd-localed attach_disconnected,complain +systemd-logind attach_disconnected,complain systemd-machine-id-setup complain systemd-machined complain systemd-makefs complain @@ -152,6 +190,8 @@ systemd-notify complain systemd-oomd attach_disconnected,complain systemd-path complain systemd-portabled complain +systemd-pstore complain +systemd-pull complain systemd-quotacheck complain systemd-random-seed complain systemd-remount-fs complain @@ -167,6 +207,7 @@ systemd-stdio-bridge complain systemd-sulogin-shell complain systemd-sysext complain systemd-time-wait-sync complain +systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-update-done complain systemd-update-utmp complain @@ -180,8 +221,6 @@ systemd-xdg-autostart-generator complain tailscaled complain timedatectl complain tracker-extract complain -ubuntu-advantage-notification complain -ubuntu-report complain udisksctl complain udisksd attach_disconnected,complain umount complain @@ -189,6 +228,7 @@ umount.udisks2 complain uptimed complain userdbctl complain virt-manager attach_disconnected,complain +virtiofsd complain virtlockd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index d196607b..047990aa 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1 +1,22 @@ -aa-status complain +apport-checkreports complain +apport-gtk complain +apt-esm-hook complain +apt-esm-json-hook complain +check-new-release-gtk complain +do-release-upgrade complain +hwe-support-status complain +list-oem-metapackages complain +livepatch-notification complain +notify-reboot-required complain +package-system-locked attach_disconnected,complain +packagekitd complain +release-upgrade-motd complain +software-properties-gtk +software-properties-gtk complain +ubuntu-advantage complain +ubuntu-advantage-notification complain +ubuntu-report complain +update-manager attach_disconnected,complain +update-motd-fsck-at-reboot complain +update-motd-updates-available complain +update-notifier complain diff --git a/dists/ignore/arch.ignore b/dists/ignore/arch.ignore index 0a76aee4..0556b95d 100644 --- a/dists/ignore/arch.ignore +++ b/dists/ignore/arch.ignore @@ -1,4 +1,7 @@ +# Debian specific definition apparmor.d/abstractions/apt-common apparmor.d/groups/apt apparmor.d/groups/cron + +# Ubuntu specific definition apparmor.d/groups/ubuntu diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 7cd8fefc..83ecb1d0 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -1,4 +1,7 @@ +# Archlinux specific apparmor.d/groups/pacman -apparmor.d/groups/ubuntu root/usr/share/libalpm +# Ubuntu specific definition +apparmor.d/groups/ubuntu + diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 8aa6d326..9cafc675 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,2 +1,3 @@ +# Archlinux specific apparmor.d/groups/pacman root/usr/share/libalpm diff --git a/systemd/systemd-udevd.service b/systemd/systemd-udevd.service deleted file mode 100644 index 97038f8d..00000000 --- a/systemd/systemd-udevd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service systemd-sysusers.service systemd-hwdb-update.service \ No newline at end of file