From 6c30e362ee709e68b9a1f688cbf01092c59d4a39 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 23 May 2022 16:43:42 +0000 Subject: [PATCH 001/165] Add `consoles` abstraction where needed (#36) * add consoles abstraction where needed * not now --- apparmor.d/profiles-a-f/dig | 1 + apparmor.d/profiles-g-l/host | 1 + apparmor.d/profiles-m-r/nslookup | 1 + apparmor.d/profiles-s-z/ss | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index bf0b42b6..e4cf9cfd 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/dig profile dig @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index a229b405..46e3eb6d 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/host profile host @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 71aa765f..ddf47994 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/nslookup profile nslookup @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index ee4c8dea..1c0c828f 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -8,6 +8,7 @@ include @{exec_path} = /{,usr/}bin/ss profile ss @{exec_path} { include + include include capability net_admin, From 9a48515089dd0cc69b18ce9e47d3386f8a3ab1f6 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 23 May 2022 16:55:58 +0000 Subject: [PATCH 002/165] Add pstree (#38) --- apparmor.d/profiles-m-r/pstree | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pstree diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree new file mode 100644 index 00000000..1913b203 --- /dev/null +++ b/apparmor.d/profiles-m-r/pstree @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}bin/pstree +profile pstree @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/task/@{tid}/stat r, + + include if exists +} From 8deddc8a2c8862c83f2dd9171bdfcab3a80cdb4c Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 23 May 2022 22:16:22 +0000 Subject: [PATCH 003/165] sshd: Ubuntu compatibility (#37) * Ubuntu, allow fallback * reverting to Ubuntu compatibility only --- apparmor.d/groups/ssh/sshd | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4dbb5786..54f2afe9 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -43,14 +43,17 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=unconfined, + network inet stream, + network inet6 stream, + @{exec_path} mrix, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, /{usr/,}{s,}bin/nologin rPx, - /{usr/,}bin/false rix, /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, + /{usr/,}bin/false rix, /etc/default/locale r, /etc/environment r, @@ -73,7 +76,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, @{run}/systemd/sessions/[0-9]*.ref rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/notify w, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw, @@ -87,11 +90,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/cmdline r, @{PROC}/filesystems r, @{PROC}/sys/kernel/ngroups_max r, /dev/ptmx rw, include if exists -} \ No newline at end of file +} From e2b7f6594ce53c00391b6bd37fa75c048781ab19 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:49:07 +0000 Subject: [PATCH 004/165] disks-read: Armbian / DietPi (#40) --- apparmor.d/abstractions/disks-read | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 3e58794d..09cca718 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -43,6 +43,30 @@ @{sys}/devices/virtual/block/zram[0-9]*/ r, @{sys}/devices/virtual/block/zram[0-9]*/** r, + # Armbian / DietPi + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r, + @{sys}/devices/virtual/block/ram[0-9]*/ r, + @{sys}/devices/virtual/block/ram[0-9]*/hidden r, + @{sys}/devices/virtual/block/ram[0-9]*/dev r, + @{sys}/devices/virtual/block/ram[0-9]*/size r, + @{sys}/devices/virtual/block/ram[0-9]*/ro r, + @{sys}/devices/virtual/block/ram[0-9]*/removable r, + @{sys}/devices/virtual/block/ram[0-9]*/holders/ r, + @{sys}/devices/virtual/block/ram[0-9]*/slaves/ r, +# investigate +# /dev/ram[0-9]* r, + # CD-ROM /dev/sr[0-9]* rk, From b4f7ed185cb3ea26dc4d6fea9ab37d379aa85645 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:50:05 +0000 Subject: [PATCH 005/165] More `consoles` requirement after `sshd` introduction (#44) * consoles requirement after sshd introduction * one more --- apparmor.d/profiles-g-l/groups | 1 + apparmor.d/profiles-g-l/last | 4 ++++ apparmor.d/profiles-g-l/lastlog | 3 +++ apparmor.d/profiles-g-l/lscpu | 1 + apparmor.d/profiles-m-r/passwd | 1 + apparmor.d/profiles-s-z/top | 1 + apparmor.d/profiles-s-z/uptime | 1 + apparmor.d/profiles-s-z/usb-devices | 4 ++++ apparmor.d/profiles-s-z/w | 1 + 9 files changed, 17 insertions(+) diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index e4da11c1..b7c74d74 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/groups profile groups @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 04926ce2..3ddb573b 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/last{,b} profile last @{exec_path} { include + include include include @@ -21,5 +22,8 @@ profile last @{exec_path} { @{PROC}/@{pids}/loginuid r, + /var/log/wtmp r, + /var/log/btmp{,.[0-9]*} r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index bf32a379..f1534002 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lastlog profile lastlog @{exec_path} { include + include include network netlink raw, @@ -18,5 +19,7 @@ profile lastlog @{exec_path} { /var/log/lastlog r, /etc/login.defs r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + include if exists } diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 48f0532d..16dee098 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lscpu profile lscpu @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 44e9dea5..9b9663e3 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/passwd profile passwd @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index d31f30dd..0b403aed 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -11,6 +11,7 @@ include @{exec_path} = /{usr/,}bin/top profile top @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index 2ce034b7..32e1915a 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/uptime profile uptime @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 7b12a972..271ebfb9 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -9,8 +9,12 @@ include @{exec_path} = /{usr/,}bin/usb-devices profile usb-devices @{exec_path} { include + include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 230c7d65..9c12e5cf 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/w profile w @{exec_path} { include + include include include From b45161a68e0fd8fe057735d55890a9b250e7f6ca Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:50:27 +0000 Subject: [PATCH 006/165] Armbian mmap (#45) --- apparmor.d/profiles-g-l/host | 2 +- apparmor.d/profiles-m-r/nslookup | 2 +- apparmor.d/profiles-s-z/ss | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 46e3eb6d..6f61f072 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -17,7 +17,7 @@ profile host @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} r, + @{exec_path} mr, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index ddf47994..af9b1fc3 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -17,7 +17,7 @@ profile nslookup @{exec_path} { network inet stream, network inet6 stream, - @{exec_path} r, + @{exec_path} mr, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 1c0c828f..27b390de 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -19,7 +19,7 @@ profile ss @{exec_path} { network netlink raw, - @{exec_path} r, + @{exec_path} mr, /etc/iproute2/{,**} r, From 7db753f0c9eec4da1553a59086538663ceaf99f3 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:54:07 +0000 Subject: [PATCH 007/165] Alphanumeric systemd sessions (#47) --- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-control-center | 6 +++--- apparmor.d/groups/gnome/gnome-session-binary | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- apparmor.d/groups/virt/cockpit-session | 4 ++-- apparmor.d/profiles-g-l/labwc | 2 +- apparmor.d/profiles-g-l/light-locker | 2 +- apparmor.d/profiles-m-r/ps | 2 +- apparmor.d/profiles-s-z/sddm | 2 +- apparmor.d/profiles-s-z/spice-vdagentd | 4 ++-- 15 files changed, 24 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index cf5e5daa..fcfa90ce 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -37,7 +37,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/icc/edid-*.icc r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3532b32c..9bfac45c 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -44,8 +44,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/gdm{3,}/gdm.pid rw, @{run}/gdm{3,}/greeter/ rw, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/[0-9]* r, - @{run}/systemd/sessions/[0-9]*.ref r, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref r, @{run}/systemd/userdb/ r, @{run}/systemd/users/@{uid} r, @{run}/udev/tags/master-of-seat/ r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d7e91d94..49938a96 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -61,7 +61,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 5822b9c4..eb181ea6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -83,8 +83,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, - @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* r, @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @@ -123,4 +123,4 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /dev/video[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 94e54cfc..f9711333 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -105,8 +105,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]* r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, /tmp/.ICE-unix/[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6a059dc8..bbc8375a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -137,8 +137,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index f42c703e..1053f8bd 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -39,7 +39,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/doc/ rw, - @{run}/systemd/sessions/[0-9]*{,.ref} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r, @@ -65,4 +66,4 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/vmstat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 9bf870d8..6f4d858e 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -54,7 +54,7 @@ profile gsd-xsettings @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/systemd/users/@{uid}/ r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index c18b5fc4..c91b5c08 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -46,7 +46,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, @{run}/mount/utab r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 2223836f..b91630d0 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -32,7 +32,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/shells r, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/ r, @{run}/utmp rwk, @@ -45,4 +45,4 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 7790d273..0cae0773 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -58,7 +58,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat[0-9]* r, @{run}/user/@{uid}/wayland-[0-9].lock k, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index ee14411a..85c9dbd5 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -25,7 +25,7 @@ profile light-locker @{exec_path} { owner @{PROC}/@{pid}/cgroup r, # when locking the screen and switching/closing sessions - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index 3f524288..90ec3046 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -52,7 +52,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/tty/drivers r, @{PROC}/uptime r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm index 0968089d..6a600567 100644 --- a/apparmor.d/profiles-s-z/sddm +++ b/apparmor.d/profiles-s-z/sddm @@ -157,7 +157,7 @@ profile sddm @{exec_path} { # Run SDDM on a specific TTY /dev/tty[0-9]* rw, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, profile sddm-scripts { diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 0af212c2..2441b65b 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -16,7 +16,7 @@ profile spice-vdagentd @{exec_path} { owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, @@ -25,4 +25,4 @@ profile spice-vdagentd @{exec_path} { /dev/vport[0-9]*p[0-9]* rw, include if exists -} \ No newline at end of file +} From db649628a5d3cacf1051354c4765f933c1193058 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:54:31 +0000 Subject: [PATCH 008/165] Update htop (#48) --- apparmor.d/profiles-g-l/htop | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 79e1e553..71be4528 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -95,8 +95,10 @@ profile htop @{exec_path} { @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, @{sys}/devices/system/cpu/cpu[0-9]*/online r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, From b42b8c66cc0fbfb7614bf7368a7615907dd1339d Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 01:15:49 +0300 Subject: [PATCH 009/165] Ubuntu 22.04, first batch and misc --- apparmor.d/groups/bus/dbus-daemon | 12 +- apparmor.d/groups/ssh/sftp-server | 7 +- apparmor.d/groups/ssh/sshd | 26 +++- apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-logind | 129 ++++++++++++------ apparmor.d/groups/systemd/systemd-timesyncd | 17 ++- .../systemd/systemd-tty-ask-password-agent | 2 + apparmor.d/profiles-a-f/agetty | 7 +- apparmor.d/profiles-g-l/logrotate | 8 +- apparmor.d/profiles-g-l/lsblk | 3 + apparmor.d/profiles-m-r/pstree | 4 +- apparmor.d/profiles-m-r/rsyslogd | 13 ++ 12 files changed, 178 insertions(+), 51 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index de381ebc..27afafef 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -11,6 +11,10 @@ include profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include + include + include + include +# include include capability audit_write, @@ -41,7 +45,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /etc/dbus-1/{,**} r, - /etc/machine-id r, /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, @@ -63,12 +66,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/bus w, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/io.systemd.DynamicUser w, @{run}/systemd/users/@{uid} r, @@ -77,7 +79,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, @@ -89,5 +91,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, + unix type=stream addr="@/tmp/dbus-*", + include if exists } diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3cd08f48..3c516fd2 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -9,8 +9,13 @@ include @{exec_path} = /{usr/,}lib/openssh/sftp-server profile sftp-server @{exec_path} { include + include + include + + capability dac_read_search, +# deny capability dac_override, @{exec_path} mr, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 54f2afe9..990d4626 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -45,6 +45,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, @{exec_path} mrix, @@ -75,11 +78,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/notify w, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, @@ -95,5 +98,24 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus), + + dbus send + bus=system + path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login1), + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 3f72381f..0a9df102 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -50,6 +50,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+sdio:* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 55a79fc0..bfaebacb 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -7,16 +7,15 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-logind @{exec_path} flags=(attach_disconnected) { include - include include include include + include capability chown, capability dac_override, - capability dac_read_search, capability fowner, capability sys_admin, capability sys_tty_config, @@ -44,66 +43,120 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:intel_backlight r, - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci* r, @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c29:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, - @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+pci* r, + @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/.#* rw, - @{run}/systemd/sessions/[0-9]*{,.ref} rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/inhibit/ rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/ rw, - @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/notify w, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/dri/card[0-9]* rw, + /dev/tty[0-9]* rw, + /dev/nvme* r, + /dev/shm/{,**/} r, + /dev/mqueue/ r, - @{sys}/class/drm/ r, + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/fs/cgroup/memory.max r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - @{sys}/fs/cgroup/memory.max r, - @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/module/vt/parameters/default_utf8 r, + + @{sys}/class/drm/ r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, @{PROC}/1/cmdline r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, - /dev/dri/card[0-9]* rw, - /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/nvme* r, - /dev/shm/{,**/} rw, - /dev/tty[0-9]* rw, + # DBus + # all members for login related, specific for others + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.Manager" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.login1.Session" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus receive + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1/*" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), + + dbus (bind) + bus="system" + name="org.freedesktop.login1", include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 1eb2b263..7dd0eb07 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -12,12 +12,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_time, network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, @@ -33,5 +34,19 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + # dbus-stricter + @{run}/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus bind + bus=system + name=org.freedesktop.timesync1, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 204a9b3e..cc7a27e6 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -11,6 +11,8 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include + signal (receive) set=(term cont) peer=logrotate, + @{exec_path} mr, @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 28b8cc52..969fadb1 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/agetty +@{exec_path} = /{usr/,}{s,}bin/agetty profile agetty @{exec_path} { include include @@ -15,6 +15,7 @@ profile agetty @{exec_path} { capability fsetid, capability sys_admin, capability sys_tty_config, + capability chown, @{exec_path} mr, @@ -25,7 +26,9 @@ profile agetty @{exec_path} { owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, - /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, + owner /dev/ttyGS[0-9]* rw, + owner /dev/ttyS[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8a5aef04..d4a880c5 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -23,6 +23,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { audit deny capability net_admin, signal (send) set=(hup), + signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -36,7 +37,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -51,6 +53,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{run}/systemd/private rw, + /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, @@ -61,6 +65,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, + /var/log/ r, /var/log/** rw, # Needed to remove the following error: @@ -86,6 +91,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /dev/kmsg rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index c71fe8e2..3144bb97 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -13,6 +13,9 @@ profile lsblk @{exec_path} { include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} mr, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index 1913b203..a8da6399 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -22,8 +22,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/cmdline r, include if exists } diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 479f04d8..77fe8d1e 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -26,8 +26,14 @@ profile rsyslogd @{exec_path} { # for creating new log files and changing their owner/group capability chown, + # downgrade privileges on Ubuntu + capability setgid, + capability setuid, + # Needed? deny capability sys_nice, +# capability sys_ptrace, +# ptrace (read), @{exec_path} mr, @@ -50,5 +56,12 @@ profile rsyslogd @{exec_path} { /etc/CA/*.crt r, /etc/CA/*.key r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/notify w, + include if exists } From db9bccc42a9faba0c540aec001fd37d4fca82931 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 01:22:10 +0300 Subject: [PATCH 010/165] complain --- apparmor.d/groups/systemd/systemd-logind | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index bfaebacb..b759c87f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -7,12 +7,12 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected) { +profile systemd-logind @{exec_path} flags=(attach_disconnected, complain) { include + include include include include - include capability chown, capability dac_override, From e547f6c7bd9163b30ef3fc7342e1c22e2eaeec84 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 01:31:35 +0300 Subject: [PATCH 011/165] lost somehow --- apparmor.d/groups/systemd/systemd-logind | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index b759c87f..230d56a4 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected, complain) { +profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include include include @@ -16,6 +16,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected, complain) { capability chown, capability dac_override, + capability dac_read_search, capability fowner, capability sys_admin, capability sys_tty_config, From 6b4ae79806ce743fa4ab1cee6765949d63111e71 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 02:02:28 +0300 Subject: [PATCH 012/165] up to date version --- apparmor.d/groups/systemd/systemd-logind | 73 ++++++++++++------------ 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 230d56a4..e061471f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -44,6 +44,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, + @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci* r, @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @@ -55,61 +59,56 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+backlight:intel_backlight r, - @{run}/udev/data/+pci* r, - + @{run}/systemd/inhibit/ rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/ rw, @{run}/systemd/sessions/* rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/users/ rw, - @{run}/systemd/users/@{uid} rw, - @{run}/systemd/users/.#* rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{run}/systemd/notify w, + @{run}/systemd/users/ rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/users/@{uid} rw, - /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) - /dev/dri/card[0-9]* rw, - /dev/tty[0-9]* rw, - /dev/nvme* r, - /dev/shm/{,**/} r, - /dev/mqueue/ r, - - @{sys}/module/vt/parameters/default_utf8 r, - @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/fs/cgroup/memory.max r, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/devices/**/{uevent,enabled,status} r, - @{sys}/devices/**/brightness rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{sys}/class/drm/ r, - @{sys}/power/{state,resume_offset,resume,disk} r, - - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/devices/**/{uevent,enabled,status} r, + @{sys}/devices/**/brightness rw, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/fs/cgroup/memory.max r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, + /dev/dri/card[0-9]* rw, + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/nvme* r, + /dev/shm/{,**/} rw, + /dev/tty[0-9]* rw, + # DBus - # all members for login related, specific for others + # all members for login-related, specific for others dbus send bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), From 9dab6b9794f9effa9c9b68c1d0c501c7a53f89b1 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 27 May 2022 02:08:37 +0300 Subject: [PATCH 013/165] stricter logind --- apparmor.d/groups/systemd/systemd-logind | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e061471f..3eac7118 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -66,7 +66,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/* rw, + @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/.#* rw, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, From 4a76a696322db61fea2032aa3c262b698fec3cd3 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 28 May 2022 00:47:21 +0300 Subject: [PATCH 014/165] polishing --- apparmor.d/groups/bus/dbus-daemon | 12 ++++--- apparmor.d/groups/systemd/systemd-logind | 30 ++++++++--------- .../systemd/systemd-tty-ask-password-agent | 5 +++ apparmor.d/profiles-a-f/agetty | 6 +++- apparmor.d/profiles-g-l/login | 32 +++++++++++++++++-- apparmor.d/profiles-g-l/logrotate | 6 ++-- 6 files changed, 64 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 27afafef..2069e71c 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -38,11 +38,14 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{libexec}/* rPUx, - /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/ r, - /{usr/,}bin/[a-z0-9]* rPUx, + @{libexec}/* rPUx, + /{usr/,}lib/ibus/ibus-* rPx, + /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, + # Xubuntu + /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, + /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /etc/dbus-1/{,**} r, @@ -71,7 +74,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/@{uid} r, @{sys}/kernel/security/apparmor/.access rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 3eac7118..90850476 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -65,12 +65,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/.#* rw, + @{run}/systemd/sessions/{,*} rw, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, @@ -111,31 +110,28 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { # DBus # all members for login-related, specific for others dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), dbus (send, receive) bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), dbus (send, receive) - bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.Manager" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), dbus (send, receive) - bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.login1.Session" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*" peer=(name="{org.freedesktop.DBus,:*}"), dbus receive - bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), - dbus (send, receive) - bus="system" path="/org/freedesktop/login1/*" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), dbus send bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), @@ -144,13 +140,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), dbus send - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), dbus receive - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index cc7a27e6..58bebab9 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -11,6 +11,8 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include +# capability net_admin, + signal (receive) set=(term cont) peer=logrotate, @{exec_path} mr, @@ -19,6 +21,9 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password/ r, @{PROC}/@{pids}/stat r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/1/environ r, include if exists } diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 969fadb1..8f615b7d 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -21,7 +21,11 @@ profile agetty @{exec_path} { /{usr/,}bin/login rPx, - /etc/issue r, + /{etc,run,lib,usr/lib}/issue r, + /{etc,run,lib,usr/lib}/issue.d/{,*} r, + /{,usr/}lib/os-release r, + /etc/inittab r, + /etc/os-release r, owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 36bae0f8..83e984ce 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -18,20 +18,46 @@ profile login @{exec_path} { capability fsetid, capability setgid, capability setuid, + capability sys_resource, + capability audit_write, + capability dac_read_search, +# capability net_admin, + +# network netlink raw, @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rUx, /etc/environment r, + /etc/motd r, + /etc/legal r, + /etc/default/locale r, + /etc/security/pam_env.conf r, + /etc/security/group.conf r, + /etc/security/limits.conf r, + /etc/security/limits.d/{,*} r, /var/log/btmp{,.[0-9]*} r, @{run}/faillock/root rwk, @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/dbus/system_bus_socket rw, + @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/sessions/*.ref rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/1/limits r, + + owner @{user_cache_dirs}/motd.legal-displayed rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"), include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index d4a880c5..f2fb65f4 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -31,6 +31,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/grep rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, @@ -39,6 +40,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}bin/fail2ban-client rPx, /{usr/,}bin/systemd-tty-ask-password-agent rPx, + /{usr/,}bin/my_print_defaults rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -65,8 +67,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, - /var/log/ r, - /var/log/** rw, + /var/log{,.hdd}/ r, + /var/log{,.hdd}/** rw, # Needed to remove the following error: # logrotate[]: error: could not change directory to '.' From 722ce7f78f2c82aa8d7655125f3e9b7bed004bc3 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 28 May 2022 17:39:32 +0300 Subject: [PATCH 015/165] logrotate: add shred --- apparmor.d/profiles-g-l/logrotate | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f2fb65f4..0fe18098 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -32,6 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, /{usr/,}bin/grep rix, + /{usr/,}bin/shred rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, @@ -49,6 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { include ptrace (read), capability sys_ptrace, +# capability net_admin, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, From 8b58289500ab8453ed9db278b519af44b8884b53 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 30 May 2022 00:19:16 +0300 Subject: [PATCH 016/165] more polishing --- apparmor.d/groups/ssh/sftp-server | 2 +- apparmor.d/profiles-g-l/logrotate | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-g-l/logrotate diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3c516fd2..82c31bb8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -13,7 +13,7 @@ profile sftp-server @{exec_path} { include capability dac_read_search, -# deny capability dac_override, + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate old mode 100644 new mode 100755 index 0fe18098..96d0818d --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -39,9 +39,12 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, - /{usr/,}bin/systemd-tty-ask-password-agent rPx, - /{usr/,}bin/my_print_defaults rPUx, + + /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, + /{usr/,}bin/my_print_defaults rPUx, + /{usr/,}bin/mysqladmin rPUx, + /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -50,7 +53,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { include ptrace (read), capability sys_ptrace, -# capability net_admin, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, From d9a0e24e402ccfd1c994e930634083f2cef639a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 19:06:06 +0100 Subject: [PATCH 017/165] revert(profiles): remove deprecated profiles. --- apparmor.d/groups/apt/usr.sbin.apt-cacher-ng | 43 ---- apparmor.d/profiles-s-z/usr.sbin.cupsd | 222 ------------------- 2 files changed, 265 deletions(-) delete mode 100644 apparmor.d/groups/apt/usr.sbin.apt-cacher-ng delete mode 100644 apparmor.d/profiles-s-z/usr.sbin.cupsd diff --git a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng deleted file mode 100644 index c4ceb489..00000000 --- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Felix Geyer -# SPDX-License-Identifier: GPL-2.0-only - -@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng - -include - -profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { - include - include - include - include - - /etc/apt-cacher-ng/ r, - /etc/apt-cacher-ng/** r, - /etc/hosts.{deny,allow} r, - /usr/sbin/apt-cacher-ng mr, - - /var/lib/apt-cacher-ng/** r, - /{,var/}run/apt-cacher-ng/* rw, - @{APT_CACHER_NG_CACHE_DIR}/ r, - @{APT_CACHER_NG_CACHE_DIR}/** rwl, - /var/log/apt-cacher-ng/ r, - /var/log/apt-cacher-ng/* rw, - /{,var/}run/systemd/notify w, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/ed ixr, - /{usr/,}bin/red ixr, - /{usr/,}bin/sed ixr, - - /usr/lib/apt-cacher-ng/acngtool ixr, - - # Allow serving local documentation - /etc/mime.types r, - /usr/share/doc/apt-cacher-ng/html/** r, - - # used by libevent - @{PROC}/sys/kernel/random/uuid r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/usr.sbin.cupsd b/apparmor.d/profiles-s-z/usr.sbin.cupsd deleted file mode 100644 index 975e8146..00000000 --- a/apparmor.d/profiles-s-z/usr.sbin.cupsd +++ /dev/null @@ -1,222 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2007 Martin Pitt -# SPDX-License-Identifier: GPL-2.0-only - -#include - -/usr/sbin/cupsd flags=(attach_disconnected) { - #include - #include - #include - #include - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability kill, - capability net_bind_service, - capability setgid, - capability setuid, - capability audit_write, - capability wake_alarm, - deny capability block_suspend, - - # noisy - deny signal (send) set=("term") peer=unconfined, - - # nasty, but we limit file access pretty tightly, and cups chowns a - # lot of files to 'lp' which it cannot read/write afterwards any - # more - capability dac_override, - capability dac_read_search, - - # the bluetooth backend needs this - network bluetooth, - - # the dnssd backend uses those - network x25 seqpacket, - network ax25 dgram, - network netrom seqpacket, - network rose dgram, - network ipx dgram, - network appletalk dgram, - network econet dgram, - network ash dgram, - - # CUPS is of systemd service type "notify" now, meaning that cupsd notifies - # systemd when it is up and running, give CUPS access to systemd's - # notification socket - @{run}/systemd/notify w, - - /{usr/,}bin/bash ixr, - /{usr/,}bin/dash ixr, - /{usr/,}bin/hostname ixr, - /dev/lp* rw, - deny /dev/tty rw, # silence noise - /dev/ttyS* rw, - /dev/ttyUSB* rw, - /dev/usb/lp* rw, - /dev/bus/usb/ r, - /dev/bus/usb/** rw, - /dev/parport* rw, - /etc/cups/ rw, - /etc/cups/** rw, - /etc/cups/interfaces/* ixrw, - /etc/foomatic/* r, - /etc/gai.conf r, - /etc/papersize r, - /etc/pnm2ppa.conf r, - /etc/printcap rwl, - /etc/ssl/** r, - /etc/letsencrypt/archive/** r, - @{PROC}/net/ r, - @{PROC}/net/* r, - @{PROC}/sys/dev/parport/** r, - @{PROC}/*/net/ r, - @{PROC}/*/net/** r, - @{PROC}/*/auxv r, - @{PROC}/sys/crypto/** r, - /sys/** r, - /usr/bin/* ixr, - /usr/sbin/* ixr, - /{usr/,}bin/* ixr, - /{usr/,}{s,}bin/* ixr, - /usr/lib/** rm, - - # backends which come with CUPS can be confined - /usr/lib/cups/backend/bluetooth ixr, - /usr/lib/cups/backend/dnssd ixr, - /usr/lib/cups/backend/http ixr, - /usr/lib/cups/backend/ipp ixr, - /usr/lib/cups/backend/lpd ixr, - /usr/lib/cups/backend/mdns ixr, - /usr/lib/cups/backend/parallel ixr, - /usr/lib/cups/backend/serial ixr, - /usr/lib/cups/backend/snmp ixr, - /usr/lib/cups/backend/socket ixr, - /usr/lib/cups/backend/usb ixr, - - # we treat cups-pdf specially, since it needs to write into /home - # and thus needs extra paranoia - /usr/lib/cups/backend/cups-pdf Px, - - # allow communicating with cups-pdf via Unix sockets - unix peer=(label=/usr/lib/cups/backend/cups-pdf), - - # third party backends get no restrictions as they often need high - # privileges and this is beyond our control - /usr/lib/cups/backend/* Cx -> third_party, - - /usr/lib/cups/cgi-bin/* ixr, - /usr/lib/cups/daemon/* ixr, - /usr/lib/cups/monitor/* ixr, - /usr/lib/cups/notifier/* ixr, - # filters and drivers (PPD generators) are always run as non-root, - # and there are a lot of third-party drivers which we cannot predict - /usr/lib/cups/filter/** Cxr -> third_party, - /usr/lib/cups/driver/* Cxr -> third_party, - /usr/local/** rm, - /usr/local/lib/cups/** rix, - /usr/share/** r, - /{,var/}run/** rm, - /{,var/}run/avahi-daemon/socket rw, - deny /{,var/}run/samba/ rw, - /{,var/}run/samba/** rw, - /var/cache/samba/*.tdb r, - /var/{cache,lib}/samba/printing/printers.tdb r, - /{,var/}run/cups/ rw, - /{,var/}run/cups/** rw, - /var/cache/cups/ rw, - /var/cache/cups/** rwk, - /var/log/cups/ rw, - /var/log/cups/* rw, - /var/spool/cups/ rw, - /var/spool/cups/** rw, - - # third-party printer drivers; no known structure here - /opt/** rix, - - # FIXME: no policy ATM for hplip and Brother drivers - /usr/bin/hpijs Cx -> third_party, - /usr/Brother/** Cx -> third_party, - - # Kerberos authentication - /etc/krb5.conf r, - deny /etc/krb5.conf w, - /etc/krb5.keytab rk, - /etc/cups/krb5.keytab rwk, - /tmp/krb5cc* k, - - # likewise authentication - /etc/likewise r, - /etc/likewise/* r, - - # silence noise - deny /etc/udev/udev.conf r, - - signal peer=/usr/sbin/cupsd//third_party, - unix peer=(label=/usr/sbin/cupsd//third_party), - profile third_party flags=(attach_disconnected) { - # third party backends, filters, and drivers get relatively no restrictions - # as they often need high privileges, are unpredictable or otherwise beyond - # our control - file, - capability, - audit deny capability mac_admin, - network, - dbus, - signal, - ptrace, - unix, - } - - include if exists -} - -# separate profile since this needs to write into /home -/usr/lib/cups/backend/cups-pdf { - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - # unfortunate, but required for when $HOME is 700 - capability dac_override, - capability dac_read_search, - - # allow communicating with cupsd via Unix sockets - unix peer=(label=/usr/sbin/cupsd), - - @{PROC}/*/auxv r, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/bash ixr, - /{usr/,}bin/cp ixr, - /etc/papersize r, - /etc/cups/cups-pdf.conf r, - /etc/cups/ppd/*.ppd r, - /usr/bin/gs ixr, - /usr/lib/cups/backend/cups-pdf mr, - /usr/lib/ghostscript/** mr, - /usr/share/** r, - /var/log/cups/cups-pdf*_log w, - /var/spool/cups/** r, - /var/spool/cups-pdf/** rw, - - # allow read and write on almost anything in @{HOME} (lenient, but - # private-files-strict is in effect), to support customized "Out" - # setting in cups-pdf.conf (Debian#940578) - #include - @{HOME}/[^.]*/{,**/} rw, - @{HOME}/[^.]*/** rw, -} From 1ca1aa88928d8ec97dd935ea63a235b3f4e63354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 19:09:03 +0100 Subject: [PATCH 018/165] feat(aa-log): add support for dbus log. --- cmd/aa-log/main.go | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index a6e61246..57aa9bca 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -28,9 +28,13 @@ const LogFile = "/var/log/audit/audit.log" // Colors const ( Reset = "\033[0m" + FgRed = "\033[31m" + FgGreen = "\033[32m" FgYellow = "\033[33m" FgBlue = "\033[34m" FgMagenta = "\033[35m" + FgCian = "\033[36m" + FgWhite = "\033[37m" BoldRed = "\033[1;31m" BoldGreen = "\033[1;32m" BoldYellow = "\033[1;33m" @@ -100,10 +104,12 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { } // Clean logs + regex := regexp.MustCompile(`type=(USER_|)AVC msg=audit(.*): (pid=.*msg='|)apparmor`) + log = regex.ReplaceAllLiteralString(log, "apparmor") regexAppArmorLogs := map[*regexp.Regexp]string{ - regexp.MustCompile(`type=AVC msg=audit(.*): apparmor`): "apparmor", - regexp.MustCompile(` fsuid.*`): "", - regexp.MustCompile(`pid=.* comm`): "comm", + regexp.MustCompile(`(peer_|)pid=[0-9]* `): "", + regexp.MustCompile(` fsuid.*`): "", + regexp.MustCompile(` exe=.*`): "", } for regex, value := range regexAppArmorLogs { log = regex.ReplaceAllLiteralString(log, value) @@ -146,18 +152,28 @@ func (aaLogs AppArmorLogs) String() string { } // Order of impression keys := []string{ - "profile", "operation", "name", "info", "comm", "laddr", - "lport", "faddr", "fport", "family", "sock_type", "protocol", + "profile", "peer_label", // Profile name + "operation", "name", + "mask", "bus", "path", "interface", "member", // dbus + "info", "comm", + "laddr", "lport", "faddr", "fport", "family", "sock_type", "protocol", "requested_mask", "denied_mask", "signal", "peer", // "fsuid", "ouid", "FSUID", "OUID", } // Optional colors template to use colors := map[string]string{ "profile": FgBlue, + "peer_label": FgBlue, "operation": FgYellow, "name": FgMagenta, + "mask": BoldRed, + "bus": FgCian + "bus=", + "path": "path=" + FgWhite, "requested_mask": "requested_mask=" + BoldRed, "denied_mask": "denied_mask=" + BoldRed, + "interface": "interface=" + FgWhite, + "member": "member=" + FgGreen, } + for _, log := range aaLogs { seen := map[string]bool{"apparmor": true} res += state[log["apparmor"]] @@ -174,7 +190,7 @@ func (aaLogs AppArmorLogs) String() string { } for key, value := range log { - if !seen[key] { + if !seen[key] && value != "" { res += " " + key + "=" + toQuote(value) } } From 879416b0628024edee02c165d543d908c6ce25ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 19:38:34 +0100 Subject: [PATCH 019/165] feat(profiles): better system nss rules in nameservice-strict. --- apparmor.d/abstractions/nameservice-strict | 30 +++++++++++-------- apparmor.d/groups/bus/dbus-daemon | 2 -- .../groups/freedesktop/polkit-agent-helper | 1 - apparmor.d/groups/freedesktop/polkitd | 1 - apparmor.d/groups/gnome/gdm | 1 - apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/gvfs/gvfsd-recent | 1 - apparmor.d/groups/network/nm-openvpn-service | 1 - apparmor.d/groups/systemd/systemd-logind | 5 ---- apparmor.d/groups/systemd/systemd-tmpfiles | 1 - apparmor.d/groups/systemd/userdbctl | 3 -- apparmor.d/groups/ubuntu/ubuntu-report | 2 -- apparmor.d/groups/ubuntu/update-notifier | 4 --- apparmor.d/groups/virt/cockpit-bridge | 1 - apparmor.d/groups/virt/cockpit-session | 1 - apparmor.d/profiles-a-f/auditd | 1 - apparmor.d/profiles-g-l/lastlog | 2 -- apparmor.d/profiles-g-l/login | 2 -- apparmor.d/profiles-m-r/pwck | 2 -- apparmor.d/profiles-m-r/rsyslogd | 1 - apparmor.d/profiles-s-z/su | 3 -- apparmor.d/profiles-s-z/sudo | 2 -- 22 files changed, 18 insertions(+), 50 deletions(-) diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 7c6f49e3..a0306e00 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -1,24 +1,30 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - /etc/hosts r, - /etc/host.conf r, - /etc/resolv.conf r, + @{etc_ro}/default/nss r, + @{etc_ro}/gai.conf r, + @{etc_ro}/group r, + @{etc_ro}/host.conf r, + @{etc_ro}/hosts r, + @{etc_ro}/nsswitch.conf r, + @{etc_ro}/passwd r, + @{etc_ro}/protocols r, + @{etc_ro}/resolv.conf r, + @{etc_ro}/services r, + @{run}/systemd/resolve/stub-resolv.conf r, - /etc/nsswitch.conf r, - /etc/passwd r, - /etc/gai.conf r, - /etc/group r, - /etc/protocols r, - /etc/default/nss r, - /etc/services r, # NSS records from systemd-userdbd.service @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users + @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs + @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined + @{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 2069e71c..fae30c40 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -74,8 +74,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/@{uid} r, @{sys}/kernel/security/apparmor/.access rw, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4e9e67fe..e4d804aa 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -35,7 +35,6 @@ profile polkit-agent-helper @{exec_path} { owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 289496ba..c6da6e1f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -52,7 +52,6 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, # Silencer deny /.cache/ rw, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 9bfac45c..dcfb5182 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -46,7 +46,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref r, - @{run}/systemd/userdb/ r, @{run}/systemd/users/@{uid} r, @{run}/udev/tags/master-of-seat/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 16a887a8..d5ebffde 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -46,7 +46,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/user rw, @{run}/mount/utab r, - @{run}/systemd/userdb/ r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index a245dcfe..072e6be0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -31,7 +31,6 @@ profile gvfsd-recent @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, - @{run}/systemd/userdb/ r, @{run}/mount/utab r, include if exists diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 5c799a41..3676d643 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -24,7 +24,6 @@ profile nm-openvpn-service @{exec_path} { /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, /{usr/,}bin/kmod rPx, - @{run}/systemd/userdb/ r, @{run}/NetworkManager/nm-openvpn-@{uuid} rw, /dev/net/tun rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 90850476..a306815a 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -26,8 +26,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, /etc/machine-id r, - /etc/nsswitch.conf r, - /etc/passwd r, /etc/systemd/logind.conf r, /etc/systemd/sleep.conf r, @@ -67,9 +65,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/sessions/{,*} rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 07f1a181..4356579f 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /usr/{,**} rw, /var/{,**} rwk, - @{run}/systemd/userdb/ r, @{sys}/devices/system/cpu/microcode/reload w, @{PROC}/@{pid}/net/unix r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 08411531..caaee986 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -18,12 +18,9 @@ profile userdbctl @{exec_path} { /{usr/,}bin/less rPx -> child-pager, - /etc/group r, /etc/shadow r, /etc/gshadow r, - @{run}/systemd/userdb/ r, - @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index a6b6447d..f7348d1a 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -17,8 +17,6 @@ profile ubuntu-report @{exec_path} { owner @{user_cache_dirs}/ubuntu-report/{,*} r, - @{run}/systemd/resolve/stub-resolv.conf r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 08139166..ed52d32f 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -52,12 +52,8 @@ profile update-notifier @{exec_path} { owner /tmp/#[0-9]* rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/systemd/userdb/ r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, - @{PROC}/sys/kernel/random/boot_id r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 9b4b840e..f3367b5e 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -39,7 +39,6 @@ profile cockpit-bridge @{exec_path} { owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, - @{run}/systemd/userdb/ r, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index b91630d0..5601ea91 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -33,7 +33,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/userdb/ r, @{run}/utmp rwk, /var/log/btmp rw, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 81074daa..a9158b76 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -30,7 +30,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) { owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, @{run}/systemd/journal/dev-log w, - @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index f1534002..3bfc4a63 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -19,7 +19,5 @@ profile lastlog @{exec_path} { /var/log/lastlog r, /etc/login.defs r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 83e984ce..ffcf468d 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -41,8 +41,6 @@ profile login @{exec_path} { /var/log/btmp{,.[0-9]*} r, @{run}/faillock/root rwk, - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, @{run}/dbus/system_bus_socket rw, @{run}/motd.dynamic{,.new} rw, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 34780b69..f6d1e7c5 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -24,7 +24,5 @@ profile pwck @{exec_path} { /etc/shadow.[0-9]* rw, /etc/shadow.lock wl, - @{run}/systemd/userdb/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 77fe8d1e..65616a18 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -60,7 +60,6 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/notify w, include if exists diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 19d1ec1c..24654d78 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -60,9 +60,6 @@ profile su @{exec_path} { /dev/{,pts/}ptmx rw, @{run}/dbus/system_bus_socket rw, - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.Machine rw, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, dbus (send) bus=system diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c5a7aed5..a72ee364 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -77,8 +77,6 @@ profile sudo @{exec_path} { owner @{HOME}/.sudo_as_admin_successful rw, - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, @{run}/resolvconf/resolv.conf r, /dev/ r, # interactive login From 8142ad657d578ea7aa3b02751b220966dbe653a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 19:41:12 +0100 Subject: [PATCH 020/165] fix(aa-log): remove unused variable. --- cmd/aa-log/main.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 57aa9bca..ee123429 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -28,7 +28,6 @@ const LogFile = "/var/log/audit/audit.log" // Colors const ( Reset = "\033[0m" - FgRed = "\033[31m" FgGreen = "\033[32m" FgYellow = "\033[33m" FgBlue = "\033[34m" From c32b19a808e66c424bc842c4f882d7b0fb0d3577 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:13:11 +0100 Subject: [PATCH 021/165] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 5 + apparmor.d/groups/apt/unattended-upgrade | 1 + .../groups/apt/unattended-upgrade-shutdown | 2 + apparmor.d/groups/bus/dbus-daemon | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 11 +- .../groups/freedesktop/at-spi-bus-launcher | 2 +- apparmor.d/groups/freedesktop/colord-session | 3 +- apparmor.d/groups/freedesktop/pulseaudio | 119 ++++++++---------- .../groups/freedesktop/xdg-desktop-portal | 1 - .../freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/gnome/gdm | 11 +- apparmor.d/groups/gnome/gdm-session-worker | 9 +- apparmor.d/groups/gnome/gdm-wayland-session | 9 +- apparmor.d/groups/gnome/gnome-calendar | 2 - apparmor.d/groups/gnome/gnome-contacts | 4 +- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 5 +- apparmor.d/groups/gnome/gnome-session-binary | 8 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/gnome/tracker-miner | 5 +- apparmor.d/groups/pacman/pacman | 4 + apparmor.d/groups/ssh/sshd | 6 +- apparmor.d/groups/systemd/bootctl | 4 +- apparmor.d/groups/systemd/networkctl | 6 +- apparmor.d/groups/systemd/systemd-hostnamed | 9 +- apparmor.d/groups/ubuntu/apport-checkreports | 6 +- .../groups/ubuntu/package-system-locked | 1 + apparmor.d/profiles-a-f/aurpublish | 2 + apparmor.d/profiles-a-f/borg | 7 +- apparmor.d/profiles-g-l/git | 2 + apparmor.d/profiles-m-r/mkinitramfs | 67 +++++----- apparmor.d/profiles-m-r/qemu-ga | 2 + apparmor.d/profiles-m-r/rsyslogd | 24 +--- apparmor.d/profiles-s-z/spice-vdagent | 2 +- apparmor.d/profiles-s-z/spice-vdagentd | 7 +- apparmor.d/profiles-s-z/switcheroo-control | 4 +- apparmor.d/profiles-s-z/ucf | 34 ++--- .../profiles-s-z/update-command-not-found | 21 ++-- 40 files changed, 218 insertions(+), 196 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e354e6ed..588f324c 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -33,6 +33,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/echo rix, /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, /{usr/,}bin/test rix, /{usr/,}bin/touch rix, @@ -49,7 +50,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/etckeeper rPx, /{usr/,}bin/ps rPx, + /{usr/,}bin/snap rPUx, + /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/command-not-found/cnf-update-db rPx, @@ -81,6 +85,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/lock{,-frontend} rwk, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, /dev/ptmx rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 787333c6..c3cf5a2a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -37,6 +37,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/etckeeper rPx, + /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index a8b0028b..d93d7ea5 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -14,6 +14,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /{usr/,}bin/ischroot rix, + /usr/share/unattended-upgrades/{,*} r, /etc/apt/apt.conf.d/{,*} r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index fae30c40..0a50c981 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -81,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 22ea486e..aa638961 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -15,6 +15,8 @@ profile accounts-daemon @{exec_path} { include capability dac_read_search, + capability setgid, + capability setuid, capability sys_nice, capability sys_ptrace, @@ -25,9 +27,10 @@ profile accounts-daemon @{exec_path} { /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, - /etc/gdm/ r, - /etc/gdm/custom.conf rw, - /etc/gdm/custom.conf.* rw, + /etc/default/locale r, + /etc/gdm{3,}/ r, + /etc/gdm{3,}/custom.conf rw, + /etc/gdm{3,}/custom.conf.* rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -35,6 +38,8 @@ profile accounts-daemon @{exec_path} { owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, + @{HOME}/ r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 9f4df2b1..bf3c14b5 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -37,7 +37,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - + /var/lib/lightdm/.Xauthority r, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 78d639a5..3c57adf2 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -6,7 +6,8 @@ abi , include -@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session +@{exec_path} = /{usr/,}lib/colord/colord-session +@{exec_path} += @{libexec}/colord-session profile colord-session @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index c5787e2c..1025fc33 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,12 +16,17 @@ profile pulseaudio @{exec_path} { include include include + include + include include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, + unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), + unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), + network inet stream, network inet6 stream, network netlink raw, @@ -29,65 +34,6 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, - @{exec_path} mrix, - - /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, - /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix, - /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, - - # PulseAudio files - /usr/share/pulseaudio/{,**} r, - /{usr/,}lib/pulse-*/modules/*.so mr, - - # PulseAudio home config files - owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_config_dirs}/dconf/user r, - - owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, - - # Needed when PulseAudio is started via the start-pulseaudio-x11 script - owner @{HOME}/.Xauthority r, - - # Needed when PulseAudio is started via gdm - owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{HOME}/.ICEauthority r, - - # TCP wrap - /etc/hosts.{allow,deny} r, - - owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/pulse/{,*} rw, - owner @{run}/user/@{uid}/pulse/*.lock k, - - /usr/share/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{sys}/devices/**/sound/**/{uevent,pcm_class} r, - @{run}/udev/data/+sound* r, - @{run}/udev/data/c116:[0-9]* r, # For ALSA - - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, - - deny @{sys}/module/apparmor/parameters/enabled r, - - @{run}/systemd/users/@{uid} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/ICEauthority r, - owner @{run}/user/@{uid}/systemd/notify rw, - - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/cmdline r, - - # DBus dbus (send) bus=session path=/org/freedesktop/DBus @@ -139,14 +85,18 @@ profile pulseaudio @{exec_path} { member=GetManagedObjects peer=(name=org.bluez), - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), - unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), + @{exec_path} mrix, - # The orcexec.* file is JIT compiled code for various GStreamer elements. - # If one is blocked the next is used instead. - owner @{run}/user/@{uid}/orcexec.* mrw, - #owner @{HOME}/orcexec.* mrw, - #owner /tmp/orcexec.* mrw, + /{usr/,}@{libexec}/pulse/gsettings-helper mrix, + /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + /{usr/,}lib/pulse-*/modules/*.so mr, + + /usr/share/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/pulseaudio/{,**} r, + /usr/share/ubuntu/applications/{,*} r, + + /var/lib/snapd/desktop/applications/ r, # For GDM owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, @@ -164,13 +114,42 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.ICEauthority r, + + owner @{user_config_dirs}/pulse/{,**} rw, + owner @{user_config_dirs}/dconf/user r, + + owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + + owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/ICEauthority r, + owner @{run}/user/@{uid}/pulse/{,*} rw, + owner @{run}/user/@{uid}/pulse/*.lock k, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/systemd/users/@{uid} r, + + @{run}/udev/data/+sound* r, + @{run}/udev/data/c116:[0-9]* r, # For ALSA + + @{sys}/class/sound/ r, + @{sys}/devices/**/sound/**/{uevent,pcm_class} r, + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + + deny @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/cmdline r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # Snap - /var/lib/snapd/desktop/applications/ r, - /usr/{local/,}share/ubuntu/applications/{,*} r, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cc70c3bc..cfb29dc8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -28,7 +28,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - /{usr/,}lib/x r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index c5075fb3..a74d3c75 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -10,6 +10,7 @@ include profile xdg-desktop-portal-gnome @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index dcfb5182..0d51bc9a 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -26,13 +26,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/plymouth rPx, - /{usr/,}lib/gdm-session-worker rPx, - + /{usr/,}{s,}prime-switch rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/plymouth rPx, + /etc/gdm{3,}/PrimeOff/Default rix, + @{libexec}/gdm-session-worker rPx, + /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/locale.conf r, @@ -49,6 +53,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/udev/tags/master-of-seat/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 49938a96..d93b104f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -45,6 +45,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{libexec}/gdm-wayland-session rPx, @{libexec}/gdm-x-session rPx, /etc/gdm{3,}/{Pre,Post}Session/Default rix, + /etc/gdm{3,}/PrimeOff/Default rix, + + /usr/share/gdm/gdm.schemas r, + /usr/share/wayland-sessions/*.desktop r, /etc/default/locale r, /etc/environment r, @@ -56,8 +60,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/security/limits.d/{,*.conf} r, /etc/shells r, - /usr/share/gdm/gdm.schemas r, - /usr/share/wayland-sessions/*.desktop r, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, @@ -65,8 +68,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index d906f01e..57c084d5 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -22,18 +22,19 @@ profile gdm-wayland-session @{exec_path} { @{exec_path} mr, - # It can run hooks, how to handle them nicely? rCx? them mostly include if exist - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/head rix, /{usr/,}bin/locale rix, /{usr/,}bin/locale-check rix, + /{usr/,}bin/qmake rix, /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, - /{usr/,}bin/gettext rix, /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-daemon rPx, @@ -42,12 +43,14 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/flatpak rPUx, @{libexec}/gnome-session-binary rPx, + /{usr/,}bin/gettext.sh r, /usr/share/im-config/{,**} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, /etc/machine-id r, /etc/shells r, + /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 0490d755..8af7526e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -30,7 +30,5 @@ profile gnome-calendar @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fd682a6b..ed46dfb1 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -14,6 +14,7 @@ profile gnome-contacts @{exec_path} { include include include + include include include include @@ -28,14 +29,11 @@ profile gnome-contacts @{exec_path} { /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index eb181ea6..435d438f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 88bcdf23..1051a928 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -10,8 +10,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include + include + include @{exec_path} mr, @@ -22,7 +23,7 @@ profile gnome-extension-ding @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/themes/{,**} r, - /usr/share/thumbnailers/*.thumbnailer r, + /usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/X11/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f9711333..23077485 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -43,17 +43,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/aa-notify rPx, /{usr/,}bin/blueman-applet rPx, - /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/gnome-shell rPx, /{usr/,}bin/im-launch rPx, /{usr/,}bin/pkcs11-register rPx, /{usr/,}bin/snap rPUx, + /{usr/,}bin/spice-vdagent rPx, /{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/ubuntu-report rPx, /{usr/,}bin/update-notifier rPx, /{usr/,}bin/xbrlapi rPx, + /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @@ -98,14 +99,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, + owner @{run}/user/@{uid}/systemd/notify w, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bbc8375a..08da7996 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -125,6 +125,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a6f7d510..a38feb1a 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,8 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index e683f0a8..df0fe0e5 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,8 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 921f8b5c..4884d7fe 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -12,17 +12,16 @@ profile tracker-miner @{exec_path} { include # TODO: FIXME: See if we keep them like this. include include + include include include include @{exec_path} mr, - /usr/share/applications/{,mimeinfo.cache,*.list} r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/mime/mime.cache r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, /usr/share/ubuntu/applications/ r, @@ -43,8 +42,6 @@ profile tracker-miner @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - owner @{user_share_dirs}/{applications/,mime/mime.cache} r, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0f1352db..81ba8b56 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -21,6 +21,7 @@ profile pacman @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability kill, capability mknod, capability net_admin, capability setfcap, @@ -83,6 +84,7 @@ profile pacman @{exec_path} { /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/groupadd rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, + /{usr/,}bin/install-catalog rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, /{usr/,}bin/locale-gen rPx, @@ -124,7 +126,9 @@ profile pacman @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 990d4626..8b492322 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -51,12 +51,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + /{usr/,}{s,}bin/nologin rPx, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}{s,}bin/nologin rPx, + /{usr/,}bin/false rix, /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, - /{usr/,}bin/false rix, /etc/default/locale r, /etc/environment r, @@ -78,8 +78,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 1da11fc0..4e21b840 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -24,12 +24,14 @@ profile bootctl @{exec_path} { /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, - /{boot,efi}/loader/{,**} r, /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, /{boot,efi}/EFI/systemd/systemd-boot*.efi w, /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/.#entries.srel* w, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/random-seed w, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5fbe2c74..e9df1167 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,12 +11,11 @@ include profile networkctl @{exec_path} flags=(complain) { include - # To be able to manage network interfaces, capability net_admin, # Needed? (#FIXME#) - audit deny capability sys_resource, - audit deny capability sys_module, + audit capability sys_resource, + audit capability sys_module, signal send peer=child-pager, @@ -49,6 +48,7 @@ profile networkctl @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, + @{PROC}/filesystems r, @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4fbf1b5e..d25f1381 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,7 +17,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/systemd/notify rw, + @{run}/udev/data/+dmi:id r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, @@ -25,7 +29,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, - @{run}/udev/data/+dmi:id r, @{sys}/firmware/dmi/entries/*/raw r, /etc/.#hostname* rw, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 56e0b48e..5eb039e4 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -9,8 +9,9 @@ include @{exec_path} = /usr/share/apport/apport-checkreports profile apport-checkreports @{exec_path} { include - include + include include + include @{exec_path} mr, @@ -21,6 +22,9 @@ profile apport-checkreports @{exec_path} { /usr/share/apport/ r, /etc/apt/apt.conf.d/{,**} r, + /etc/default/apport r, + + /var/crash/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index d307f0eb..bd66ec17 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -11,6 +11,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_ptrace, capability syslog, ptrace (read), diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index 5c93be01..fd643e75 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -10,6 +10,8 @@ include profile aurpublish @{exec_path} { include + signal (receive) peer=git, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5e40c1ec..304d97c0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -18,8 +18,11 @@ profile borg @{exec_path} { network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} r, + + /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/uname rix, @@ -66,15 +69,11 @@ profile borg @{exec_path} { # Dirs that can be backed up / r, - /boot/{,**} r, - /efi/{,**} r, /etc/{,**} r, /home/{,**} r, @{MOUNTS}/{,**} r, - /opt/{,**} r, /root/{,**} r, /srv/{,**} r, - /usr/{,**} r, /var/{,**} r, # The backup dirs diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 83f90368..053d00dd 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -27,6 +27,8 @@ profile git @{exec_path} { network inet6 stream, network netlink raw, + signal (send) peer=aurpublish, + @{exec_path} mrix, # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fc03477e..9685ea69 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/ r, - /{usr/,}bin/ r, + /{usr/,}{s,}bin/ r, /{usr/,}lib/ r, /{usr/,}lib64/ r, - /{usr/,}bin/getopt rix, - /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/env rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/tr rix, - - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/basename rix, /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/env rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/id rix, + /{usr/,}bin/ln rix, /{usr/,}bin/lzma rix, /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/xz rix, /{usr/,}bin/zstd rix, @@ -87,20 +87,21 @@ profile mkinitramfs @{exec_path} { /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs-* rw, - @{PROC}/modules r, - + owner @{PROC}/@{uid}/fd/ r, + @{PROC}/modules r, profile ldd { include include + include /{usr/,}bin/ldd mr, /{usr/,}bin/kmod mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}lib/@{multiarch}/ld-*.so rix, - /{usr/,}lib{,x}32/ld-*.so rix, + /{usr/,}lib/@{multiarch}/ld-*.so* rix, + /{usr/,}lib{,x}32/ld-*.so rix, } @@ -110,7 +111,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - /{usr/,}sbin/ldconfig mr, + /{usr/,}{s,}bin/ldconfig mr, + + /{usr/,}{s,}bin/ldconfig.real rix, + /{usr/,}bin/{,ba,da}sh rix, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, @@ -148,11 +152,14 @@ profile mkinitramfs @{exec_path} { profile kmod { include include + include /{usr/,}bin/kmod mr, @{PROC}/cmdline r, + /etc/depmod.d/ r, + /etc/depmod.d/*.conf r, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 77c49dd3..db6ff8dd 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,6 +12,8 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, + /etc/qemu/qemu-ga.conf r, + owner @{run}/qga.state* rw, /dev/vport[0-9]*p[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 65616a18..10fc5bd9 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -16,25 +16,12 @@ profile rsyslogd @{exec_path} { include include - # Needed to remove the following error: - # rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. - capability syslog, - - # For remote logs - capability net_admin, - - # for creating new log files and changing their owner/group - capability chown, - - # downgrade privileges on Ubuntu - capability setgid, + capability chown, # For creating new log files and changing their owner/group + capability net_admin, # For remote logs + capability setgid, # For downgrading privileges capability setuid, - - # Needed? - deny capability sys_nice, -# capability sys_ptrace, -# ptrace (read), - + capability syslog, + @{exec_path} mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, @@ -47,6 +34,7 @@ profile rsyslogd @{exec_path} { owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/systemd/journal/syslog w, + @{run}/systemd/notify rw, # log files and devices /var/log/** rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 99757736..ce534bde 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -20,7 +20,7 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - owner @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/pci[0-9]*/**/{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 2441b65b..ee7dac59 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,15 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/spice-vdagentd -profile spice-vdagentd @{exec_path} { +@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd +profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, @{exec_path} mr, + owner @{run}/spice-vdagentd/spice-vdagent-sock r, owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, + @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 6830ff9b..57a24445 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/switcheroo-control -profile switcheroo-control @{exec_path} { +profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability sys_nice, @@ -18,6 +18,8 @@ profile switcheroo-control @{exec_path} { @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 5a557c78..26ce8ce2 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,25 +15,26 @@ profile ucf @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mkdir rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, - /{usr/,}bin/id rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/cp rix, /{usr/,}bin/dirname rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/seq rix, /{usr/,}bin/stat rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which{,.debianutils} rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 89575a53..c256bc06 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,33 +9,33 @@ include @{exec_path} = /usr/share/command-not-found/cnf-update-db @{exec_path} += /{usr/,}{s,}bin/update-command-not-found +@{exec_path} += /{usr/,}lib/cnf-update-db profile update-command-not-found @{exec_path} { include include + include include - #capability sys_tty_config, - @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, - /{usr/,}lib/apt/apt-helper rix, - - /{usr/,}bin/dpkg rPx -> child-dpkg, - - /var/lib/command-not-found/ r, - /var/lib/command-not-found/commands.db* rwk, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}lib/apt/apt-helper rix, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, /usr/share/command-not-found/{,**} r, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, + /var/lib/command-not-found/ r, + /var/lib/command-not-found/commands.db* rwk, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_Contents-* r, + /var/lib/apt/lists/*_Commands-* r, owner @{PROC}/@{pid}/fd/ r, From 5987818b422819ce07c2beb543b289ec3dd0092d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:14:38 +0100 Subject: [PATCH 022/165] feat(profiles): add gnome-control-center-goa-helper. --- .../gnome/gnome-control-center-goa-helper | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-control-center-goa-helper diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper new file mode 100644 index 00000000..ebfb36aa --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper +profile gnome-control-center-goa-helper @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/bwrap rPUx, + + /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /var/lib/flatpak/exports/share/icons/{,**} r, + + owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + + owner @{user_share_dirs}/webkitgtk/{,**} rw, + owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, + + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/webkitgtk/{,**} rw, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/zoneinfo r, + + include if exists +} From 82e6dc13e9035797bda3d1e9d0da6524048c4321 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:15:23 +0100 Subject: [PATCH 023/165] feat(profiles): add gnome-remote-desktop-daemon. --- .../groups/gnome/gnome-remote-desktop-daemon | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-remote-desktop-daemon diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon new file mode 100644 index 00000000..44844ad3 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/gnome-remote-desktop-daemon +profile gnome-remote-desktop-daemon @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include if exists +} \ No newline at end of file From 82bbe96bfa28d374e9d9ee440bd49c5a27ad6ffa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:16:38 +0100 Subject: [PATCH 024/165] feat(profiles): add ModemManager. --- apparmor.d/groups/network/ModemManager | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 apparmor.d/groups/network/ModemManager diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager new file mode 100644 index 00000000..7ff48ff5 --- /dev/null +++ b/apparmor.d/groups/network/ModemManager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{,s}bin/ModemManager +profile ModemManager @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/n[0-9]* r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/net/ r, + @{sys}/class/tty/ r, + @{sys}/class/wwan/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,revision} r, + @{sys}/devices/virtual/net/lo/ r, + @{sys}/devices/virtual/tty/*/ r, + + include if exists +} \ No newline at end of file From b9552c3f66707dacc59f5d52485bb77a04ce137e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:17:08 +0100 Subject: [PATCH 025/165] feat(profiles): add networkd-dispatcher. --- apparmor.d/groups/network/networkd-dispatcher | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/groups/network/networkd-dispatcher diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher new file mode 100644 index 00000000..0572caee --- /dev/null +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/networkd-dispatcher +profile networkd-dispatcher @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/networkctl rPx, + + @{run}/systemd/notify rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file From 24cf14ff3ad9695de94d3dbcf8dfd59db0afacd8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:20:32 +0100 Subject: [PATCH 026/165] feat(profiles): initial version of some ubuntu related profiles. --- apparmor.d/groups/ubuntu/apport-gtk | 60 +++++++++++++++++++ apparmor.d/groups/ubuntu/apt-esm-hook | 21 +++++++ .../groups/ubuntu/check-new-release-gtk | 41 +++++++++++++ apparmor.d/groups/ubuntu/hwe-support-status | 26 ++++++++ .../groups/ubuntu/list-oem-metapackages | 27 +++++++++ apparmor.d/groups/ubuntu/update-manager | 49 +++++++++++++++ 6 files changed, 224 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apport-gtk create mode 100644 apparmor.d/groups/ubuntu/apt-esm-hook create mode 100644 apparmor.d/groups/ubuntu/check-new-release-gtk create mode 100644 apparmor.d/groups/ubuntu/hwe-support-status create mode 100644 apparmor.d/groups/ubuntu/list-oem-metapackages create mode 100644 apparmor.d/groups/ubuntu/update-manager diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk new file mode 100644 index 00000000..bf2eb41d --- /dev/null +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/apport/apport-gtk +profile apport-gtk @{exec_path} { + include + include + include + + capability sys_ptrace, + + @{exec_path} mr, + + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/cut rix, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/gdb rCx -> gdb, + /{usr/,}bin/grep rix, + /{usr/,}bin/gsettings rPx, + /{usr/,}bin/journalctl rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/ldd rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/md5sum rix, + + /usr/share/apport/general-hooks/*.py r, + + /etc/apport/blacklist.d/apport r, + /etc/apport/blacklist.d/README.blacklist r, + /etc/apport/crashdb.conf r, + /etc/bash_completion.d/apport_completion r, + /etc/cron.daily/apport r, + /etc/default/apport r, + /etc/init.d/apport r, + /etc/logrotate.d/apport r, + + /var/lib/dpkg/info/*.md5sums r, + /var/log/installer/media-info r, + + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + + profile gdb { + include + /{usr/,}bin/gdb mr, + + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook new file mode 100644 index 00000000..5e4c703c --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-hook +profile apt-esm-hook @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk new file mode 100644 index 00000000..ddba1dc3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk +profile check-new-release-gtk @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/update-manager/{,**} r, + + /etc/update-manager/{,**} r, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status new file mode 100644 index 00000000..83cb07e3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/hwe-support-status +profile hwe-support-status @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages new file mode 100644 index 00000000..ec8706f8 --- /dev/null +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/list-oem-metapackages +profile list-oem-metapackages @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ischroot rix, + + @{sys}/devices/**/ r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/filesystems r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager new file mode 100644 index 00000000..869866f3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-manager @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/update-manager +profile update-manager @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/hwe-support-status rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPUx, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, + + /usr/share/applications/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/icons/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/update-manager/{,**} r, + /usr/share/X11/{,**} r, + + /etc/machine-id r, + /etc/update-manager/{,**} r, + + /var/lib/update-manager/{,**} rw, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file From aa9a673fb67ca6439908b041659b378d0cc1ebd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:21:20 +0100 Subject: [PATCH 027/165] feat(profiles): add anacron. --- apparmor.d/profiles-a-f/anacron | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/profiles-a-f/anacron diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron new file mode 100644 index 00000000..ed1e9635 --- /dev/null +++ b/apparmor.d/profiles-a-f/anacron @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/anacron +profile anacron @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/run-parts rPx, + + / r, + /etc/anacrontab r, + + /var/spool/anacron/cron.* rw, + + include if exists +} \ No newline at end of file From 9ad819a1969b32bd99bf2e251d412f4c43fe843e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:22:07 +0100 Subject: [PATCH 028/165] feat(profiles): add install-catalog. --- apparmor.d/profiles-g-l/install-catalog | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-g-l/install-catalog diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog new file mode 100644 index 00000000..6c508b3c --- /dev/null +++ b/apparmor.d/profiles-g-l/install-catalog @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/install-catalog +profile install-catalog @{exec_path} { + include + + capability dac_read_search, + + @{exec_path} mr, + + /{usr/,}bin/{,ba}sh rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + + /etc/sgml/catalog{,.new} rw, + /etc/sgml/sgml-docbook.cat{,.new} rw, + /etc/sgml/sgml-ent.cat{,.new} rw, + + include if exists +} \ No newline at end of file From aa606bbdc43df94abf5f1f131b2e8ff00b34c660 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:23:28 +0100 Subject: [PATCH 029/165] feat(profiles): add swtpm_ioctl. --- apparmor.d/profiles-s-z/swtpm_ioctl | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/profiles-s-z/swtpm_ioctl diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl new file mode 100644 index 00000000..75660e85 --- /dev/null +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/swtpm_ioctl +profile swtpm_ioctl @{exec_path} { + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From a6a72cd5c3b743a3a9adeb38c6fe87bdaa68dff9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:38:23 +0100 Subject: [PATCH 030/165] feat(profiles): initial dbus integration (no dbus rule yet). --- apparmor.d/groups/freedesktop/accounts-daemon | 3 ++- apparmor.d/groups/freedesktop/at-spi-bus-launcher | 1 + apparmor.d/groups/freedesktop/colord | 11 +++++++++-- apparmor.d/groups/freedesktop/pipewire | 1 + apparmor.d/groups/freedesktop/pipewire-media-session | 1 + apparmor.d/groups/freedesktop/polkitd | 3 ++- apparmor.d/groups/freedesktop/upowerd | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + .../groups/freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/gnome/evolution-addressbook-factory | 1 + apparmor.d/groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gdm | 4 +++- apparmor.d/groups/gnome/gdm-session-worker | 2 ++ apparmor.d/groups/gnome/gnome-extension-ding | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 + apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/goa-daemon | 1 + apparmor.d/groups/gnome/gsd-color | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-keyboard | 1 + apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 1 + apparmor.d/groups/gnome/gsd-printer | 1 + apparmor.d/groups/gnome/gsd-rfkill | 1 + apparmor.d/groups/gnome/gsd-sharing | 1 + apparmor.d/groups/gnome/gsd-xsettings | 1 + apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/network/NetworkManager | 2 ++ apparmor.d/groups/systemd/child-systemctl | 1 + apparmor.d/groups/systemd/networkctl | 1 + apparmor.d/groups/systemd/systemd-hostnamed | 1 + apparmor.d/groups/systemd/systemd-logind | 3 ++- apparmor.d/groups/systemd/systemd-user-runtime-dir | 1 + apparmor.d/groups/ubuntu/packagekitd | 1 + .../groups/ubuntu/ubuntu-advantage-notification | 1 + apparmor.d/profiles-g-l/kerneloops | 1 + apparmor.d/profiles-m-r/pkexec | 5 +++-- apparmor.d/profiles-m-r/pkttyagent | 1 + apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-m-r/rtkit-daemon | 1 + apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/udisksd | 1 + 46 files changed, 64 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index aa638961..04fc326b 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -9,8 +9,9 @@ include @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon @{exec_path} += @{libexec}/accounts-daemon -profile accounts-daemon @{exec_path} { +profile accounts-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index bf3c14b5..34134f6b 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index fcfa90ce..1aaf33ea 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,11 +11,18 @@ include @{exec_path} += @{libexec}/colord profile colord @{exec_path} flags=(attach_disconnected) { include + include include include network netlink raw, + dbus send + bus=system + path=/org/freedesktop/ColorManager/devices/xrandr_* + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 596f5725..2eea607f 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} { include include + include include ptrace (read), diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index c21a8314..180ee969 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -11,6 +11,7 @@ include profile pipewire-media-session @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index c6da6e1f..e264a200 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkitd profile polkitd @{exec_path} { include + include include capability setuid, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 11873361..7b32158f 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cfb29dc8..e9ad2fdd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a74d3c75..6b177afb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 27fb6a9e..99622476 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 75206db5..a036ee7e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 6a60f3c1..40661e7c 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 0d51bc9a..a3cade38 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -9,8 +9,10 @@ include @{exec_path} = /{usr/,}{s,}bin/gdm{3,} profile gdm @{exec_path} flags=(attach_disconnected) { include - include + include + include include + include capability chown, capability fsetid, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d93b104f..24b8902b 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -10,6 +10,8 @@ include profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include + include + include include capability audit_write, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 1051a928..a0fbc6c7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 361f0186..65513850 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 23077485..c9931355 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 08da7996..7dcc1894 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -68,9 +70,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /etc/fstab r, - /etc/machine-id r, /etc/xdg/menus/gnome-applications.menu r, - /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index fa65e3ce..684080be 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a38feb1a..c83666a2 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 0ff646db..ccec1b6a 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index df0fe0e5..216a23cb 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d6fbdbab..310336b2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index b4a6bd31..c674d1e5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 0e0e011c..de6c3a28 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 487e827b..eccc4180 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index cca7f7a3..a44ecbbe 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0f7fb325..7cada0c7 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 6f4d858e..2ac7d10b 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 4884d7fe..dd45b726 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include - include # TODO: FIXME: See if we keep them like this. + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index c91b5c08..0f32b016 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f6102481..e68a51fa 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}{,s}bin/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include + include + include include include include diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 6919dd66..507df21b 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -16,6 +16,7 @@ include profile child-systemctl flags=(attach_disconnected) { include include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index e9df1167..378c89c1 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/networkctl profile networkctl @{exec_path} flags=(complain) { include + include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index d25f1381..6b951974 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include + include include # To set a hostname diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a306815a..5f392dce 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -10,8 +10,9 @@ include profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include include - include include + include + include include capability chown, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 0c61f1eb..a4d0a7a0 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir profile systemd-user-runtime-dir @{exec_path} { include + include include include diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ba55b853..c8e0be36 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -10,6 +10,7 @@ include profile packagekitd @{exec_path} { include include + include include capability sys_nice, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index c6e3f327..caf36abd 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 4efe443e..ddf480c8 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/kerneloops profile kerneloops @{exec_path} { include + include include capability syslog, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b754183e..4cb39fce 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -10,9 +10,10 @@ include profile pkexec @{exec_path} flags=(complain) { include include - include - include include + include + include + include signal (send) set=(term, kill) peer=polkit-agent-helper, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index ebc0366e..72873536 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pkttyagent profile pkttyagent @{exec_path} { include + include capability sys_nice, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index c2cebc60..ee85a3b0 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/power-profiles-daemon profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 4b4c1689..ef92160f 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -11,6 +11,7 @@ include @{exec_path} = @{libexec}/rtkit-daemon profile rtkit-daemon @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 57a24445..2f142a08 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/switcheroo-control profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b881f383..b46cd19b 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/udisks2/udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include + include include include From 7a18cfed409585c9394db813853932d4b3372e21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 Jun 2022 21:53:24 +0100 Subject: [PATCH 031/165] fix(aa-log): ensure the good profile is shown. --- cmd/aa-log/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index ee123429..b387c9d7 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -151,7 +151,7 @@ func (aaLogs AppArmorLogs) String() string { } // Order of impression keys := []string{ - "profile", "peer_label", // Profile name + "profile", "label", // Profile name "operation", "name", "mask", "bus", "path", "interface", "member", // dbus "info", "comm", @@ -161,7 +161,7 @@ func (aaLogs AppArmorLogs) String() string { // Optional colors template to use colors := map[string]string{ "profile": FgBlue, - "peer_label": FgBlue, + "label": FgBlue, "operation": FgYellow, "name": FgMagenta, "mask": BoldRed, From f6b6e99cde943a82bfaa52d97b466914f1bfcda8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 14:53:10 +0100 Subject: [PATCH 032/165] feat(profiles): initial dbus rules for systemd profiles. --- apparmor.d/groups/systemd/child-systemctl | 4 + apparmor.d/groups/systemd/systemd-hostnamed | 12 ++- apparmor.d/groups/systemd/systemd-localed | 29 ++++--- apparmor.d/groups/systemd/systemd-logind | 84 +++++++++------------ apparmor.d/groups/systemd/systemd-timedated | 13 +++- 5 files changed, 80 insertions(+), 62 deletions(-) diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 507df21b..338f4f98 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -27,6 +27,10 @@ profile child-systemctl flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member=GetUnitFileState, + /{usr/,}bin/systemctl mr, /etc/systemd/user/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 6b951974..4a830450 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -13,8 +13,15 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include - # To set a hostname - capability sys_admin, + capability sys_admin, # To set a hostname + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName}, + + dbus receive bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, @{exec_path} mr, @@ -38,4 +45,5 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+dmi:id r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c3a3e304..efb53cf1 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,20 +15,29 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include # Needed? - audit deny capability net_admin, + audit capability net_admin, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReleaseName, + + dbus receive bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mr, - /etc/default/keyboard r, - - /etc/default/locale rw, - /etc/default/.#locale* rw, - /etc/locale.conf r, - /etc/vconsole.conf r, - /usr/share/systemd/language-fallback-map r, /usr/share/X11/xkb/rules/evdev r, + /etc/default/.#locale* rw, + /etc/default/keyboard r, + /etc/default/locale rw, + /etc/locale.conf r, + /etc/vconsole.conf r, /etc/X11/xorg.conf.d/*.conf r, + @{run}/systemd/notify rw, + + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 5f392dce..8cedc840 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -24,6 +24,40 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/job/** + interface=org.freedesktop.DBus.Properties + member={Get,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/unit/** + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,Get}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** + interface=org.freedesktop.systemd[0-9]/.Scope + member=Abandon, + + dbus receive bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading}, + + dbus receive bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus bind bus=system + name=org.freedesktop.login[0-9], + @{exec_path} mr, /etc/machine-id r, @@ -50,6 +84,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @@ -99,57 +134,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /dev/dri/card[0-9]* rw, /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/nvme* r, /dev/shm/{,**/} rw, /dev/tty[0-9]* rw, - # DBus - # all members for login-related, specific for others - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), - - dbus (send, receive) - bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus (send, receive) - bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus (send, receive) - bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus receive - bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), - - dbus send - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), - - dbus (bind) - bus="system" - name="org.freedesktop.login1", - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 1e227632..4f28e457 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,6 +15,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, + dbus (send,receive) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={AddMatch,ReleaseName,RequestName}, + + dbus receive bus=system path=/org/freedesktop/timedate[0-1] + interface=org.freedesktop.DBus.Properties + member=Get, + @{exec_path} mr, /dev/rtc[0-9] r, @@ -27,5 +36,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, + @{run}/systemd/notify rw, + include if exists } From 671dcca38da2d214b75d9d3acb52ac4585768a4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 14:54:26 +0100 Subject: [PATCH 033/165] feat(aa-log): allow profile selection for dbus rules. --- cmd/aa-log/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index b387c9d7..aa47d9c0 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -89,7 +89,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { log := "" exp := "apparmor=(\"DENIED\"|\"ALLOWED\"|\"AUDIT\")" if profile != "" { - exp = fmt.Sprintf(exp+".* profile=\"%s.*\"", profile) + exp = fmt.Sprintf(exp+".* (profile=\"%s.*\"|label=\"%s.*\")", profile, profile) } isAppArmorLog := regexp.MustCompile(exp) From 63e5980d8d26cdfe0afd1dc80f76fd1f3d8366bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 22:47:37 +0100 Subject: [PATCH 034/165] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 4 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- apparmor.d/groups/bus/dbus-daemon | 3 -- .../groups/freedesktop/at-spi2-registryd | 12 +++--- apparmor.d/groups/freedesktop/colord-sane | 12 +++--- apparmor.d/groups/freedesktop/polkitd | 5 ++- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/upowerd | 36 ++++++++-------- .../groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xkbcomp | 2 + apparmor.d/groups/freedesktop/xrdb | 2 + apparmor.d/groups/freedesktop/xwayland | 2 + .../groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 + apparmor.d/groups/gnome/gnome-shell | 4 ++ .../groups/gnome/gnome-shell-calendar-server | 2 + apparmor.d/groups/gnome/nautilus | 5 ++- apparmor.d/groups/ubuntu/apt-esm-hook | 5 +++ .../groups/ubuntu/check-new-release-gtk | 12 +++++- .../groups/ubuntu/livepatch-notification | 5 ++- .../groups/ubuntu/package-system-locked | 3 ++ .../ubuntu/ubuntu-advantage-notification | 4 +- apparmor.d/groups/ubuntu/ubuntu-report | 1 + .../ubuntu/update-motd-updates-available | 20 +++++++-- apparmor.d/groups/ubuntu/update-notifier | 23 +++++++--- apparmor.d/profiles-a-f/fwupdmgr | 27 ++++++------ apparmor.d/profiles-g-l/ifup | 3 +- apparmor.d/profiles-g-l/logrotate | 9 ++-- apparmor.d/profiles-m-r/needrestart | 43 +++++++++++++++---- apparmor.d/profiles-s-z/spice-vdagent | 2 + apparmor.d/profiles-s-z/sysctl | 1 - .../profiles-s-z/update-command-not-found | 1 + 33 files changed, 177 insertions(+), 85 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 588f324c..cddabf04 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -24,6 +24,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability setgid, capability setuid, + capability sys_nice, signal (send) peer=apt-methods-*, @@ -60,9 +61,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { # Methods to use to download packages from the net /{usr/,}lib/apt/methods/* rPx, + /var/lib/apt/extended_states{,.*} rw, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, + /var/lib/apt/periodic/update-success-stamp rw, /var/log/apt/eipp.log.xz w, /var/log/apt/{term,history}.log w, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c3cf5a2a..4a978427 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -9,10 +9,11 @@ include @{exec_path} = /{usr/,}bin/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include + include include include include - include capability chown, capability dac_override, @@ -78,6 +79,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner /tmp/#[0-9]* rw, owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 0a50c981..4dae8071 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -14,7 +14,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include include -# include include capability audit_write, @@ -93,7 +92,5 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, - unix type=stream addr="@/tmp/dbus-*", - include if exists } diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 939496d8..46dc955d 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,19 +13,18 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include - # Needed? - deny capability sys_nice, - signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{HOME}/.Xauthority r, /var/lib/lightdm/.Xauthority r, + + owner @{HOME}/.Xauthority r, + owner @{HOME}/.xsession-errors w, + + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - # file_inherit - owner @{HOME}/.xsession-errors w, owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 0f3cfa1f..ed183ba5 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/colord/colord-sane @{exec_path} += @{libexec}/colord-sane -profile colord-sane @{exec_path} flags=(complain) { +profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include include @@ -16,17 +17,18 @@ profile colord-sane @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/sane.d/{,**} r, + /usr/share/snmp/mibs/{,*} r, + /etc/sane.d/{,**} r, /etc/snmp/snmp.conf r, + + /var/lib/snmp/{mib,cert}_indexes/ rw, /var/lib/snmp/mibs/{iana,ietf}/ r, /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - /var/lib/snmp/{mib,cert}_indexes/ rw, - /usr/share/snmp/mibs/{,*} r, + @{run}/systemd/journal/socket rw, @{sys}/bus/scsi/devices/ r, - @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index e264a200..982f8f85 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -14,10 +14,11 @@ profile polkitd @{exec_path} { include include - capability setuid, capability setgid, + capability setuid, + capability sys_nice, capability sys_ptrace, - audit deny capability net_admin, + audit capability net_admin, ptrace (read), diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 77c69921..db4eb0c7 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -11,7 +11,7 @@ profile upower @{exec_path} { include # Needed? - deny capability sys_nice, + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 7b32158f..f8f7cbfc 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,30 +18,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - # UPower config file /etc/UPower/ r, /etc/UPower/UPower.conf r, - # The history data for the power device /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - # Are all of these needed? (#FIXME#) - /dev/input/event* r, - @{sys}/bus/hid/devices/ r, - @{sys}/class/leds/ r, - @{sys}/class/power_supply/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/**/power_supply/**/* r, - @{sys}/devices/**/uevent r, - @{sys}/devices/**/capabilities/* r, - @{sys}/devices/virtual/dmi/id/product_name r, - - @{sys}/devices/platform/**/leds/**/max_brightness r, - @{sys}/devices/platform/**/leds/**/brightness rw, - @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, - @{run}/udev/data/ r, @{run}/udev/data/+power_supply* r, @{run}/udev/data/+input* r, @@ -49,5 +32,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, + @{sys}/bus/hid/devices/ r, + @{sys}/class/input/ r, + @{sys}/class/leds/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/ r, + @{sys}/devices/**/capabilities/* r, + @{sys}/devices/**/power_supply/**/* r, + @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/leds/**/brightness rw, + @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, + @{sys}/devices/platform/**/leds/**/max_brightness r, + @{sys}/devices/virtual/dmi/id/product_name r, + + /dev/input/event* r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e9ad2fdd..e366fd26 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -34,7 +34,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /etc/machine-id r, /etc/pipewire/client.conf.d/ r, /var/lib/flatpak/exports/share/mime/mime.cache r, @@ -43,6 +42,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{PROC}/@{pids}/cgroup r, @{PROC}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 0095e3b3..b4235da9 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -11,6 +11,8 @@ include profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 4db26964..177d3bb8 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -11,6 +11,8 @@ include profile xrdb @{exec_path} { include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e535c2df..dd354cf8 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -19,6 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, + unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index b40e3ed9..e488818b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -11,8 +11,8 @@ profile evolution-source-registry @{exec_path} { include include include - include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index a0fbc6c7..564dba30 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -23,7 +23,6 @@ profile gnome-extension-ding @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, - /usr/share/themes/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/X11/{,**} r, @@ -38,6 +37,7 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home-*.log r, owner @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index c9931355..78fee1df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -99,6 +99,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, + owner @{user_share_dirs}/session_migration-ubuntu r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/dconf/ rw, @@ -107,6 +108,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/systemd/notify w, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7dcc1894..07657a3b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -39,6 +39,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), + + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), @{exec_path} mr, @@ -126,6 +129,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 09287690..005072d5 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -17,6 +17,8 @@ profile gnome-shell-calendar-server @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/zoneinfo-icu/{,**} r, + /etc/timezone r, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d5ebffde..5ad4d7a0 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -24,8 +24,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/ubuntu/applications/{,**} r, - owner @{user_share_dirs}/nautilus/{,**} rwk, + /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data / r, @@ -42,6 +43,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + owner @{user_share_dirs}/nautilus/{,**} rwk, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5e4c703c..3492a1a8 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -15,7 +15,12 @@ profile apt-esm-hook @{exec_path} { /{usr/,}bin/dpkg rPx, + /etc/machine-id r, + + /var/lib/ubuntu-advantage/messages/{,**} rw, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index ddba1dc3..79f3b2f9 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,13 +10,18 @@ include profile check-new-release-gtk @{exec_path} { include include + include include include + include include include network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, @{exec_path} mr, @@ -25,17 +30,22 @@ profile check-new-release-gtk @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /usr/share/distro-info/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/themes/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/update-manager/{,**} r, owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9] rw, + owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 33965de6..863cccfe 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -10,16 +10,19 @@ include profile livepatch-notification @{exec_path} { include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/{,**} r, - /usr/share/themes/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index bd66ec17..705eb72d 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -16,6 +16,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { ptrace (read), + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index caf36abd..d8f01e8e 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -11,16 +11,18 @@ profile ubuntu-advantage-notification @{exec_path} { include include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - /usr/share/themes/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index f7348d1a..51405517 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -10,6 +10,7 @@ include profile ubuntu-report @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 5724a959..d31d1730 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,28 +9,42 @@ include @{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include + include + include + include + include include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-config rPx, + /{usr/,}bin/chmod rix, /{usr/,}bin/dirname rix, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/find rix, /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, /{usr/,}lib/update-notifier/apt_check.py rix, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/sources.list r, + /usr/share/distro-info/{,**} r, + + /etc/machine-id r, - /var/lib/apt/lists/{,*} r, /var/lib/update-notifier/{,*} rw, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ed52d32f..a17b3a6a 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -18,33 +18,46 @@ profile update-notifier @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ionice rix, /{usr/,}bin/ischroot rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/nice rix, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/update-manager rPx, + /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx, /{usr/,}lib/update-notifier/apt_check.py rix, + /{usr/,}lib/update-notifier/list-oem-metapackages rPx, /{usr/,}lib/update-notifier/livepatch-notification rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, + /usr/share/apport/apport-gtk rPx, - /usr/share/applications/{,*.desktop} r, + /usr/share/applications/{,**} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, - /usr/share/themes/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/ r, /usr/share/ubuntu/applications/ r, + /usr/share/update-notifier/{,**} r, /usr/share/X11/{,**} r, /etc/machine-id r, /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/applications/{,**} r, + /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, - /var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r, + owner @{user_share_dirs}/applications/ r, + + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 19e51f9b..127a364c 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,11 +8,12 @@ abi , include @{exec_path} = /{usr/,}bin/fwupdmgr -profile fwupdmgr @{exec_path} flags=(complain) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include include - include include + include signal (send), @@ -27,26 +28,22 @@ profile fwupdmgr @{exec_path} flags=(complain) { /{usr/,}bin/dbus-launch rCx -> dbus, /{usr/,}bin/pkttyagent rPx, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/fwupd/ rw, - owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/fwupd/ rw, + owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pid}/fd/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /dev/tty rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - profile dbus { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 73e36a65..6de8a18f 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -12,8 +12,7 @@ profile ifup @{exec_path} { include capability net_admin, - # Needed? - audit deny capability sys_module, + audit capability sys_module, network netlink raw, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 96d0818d..db9073cd 100755 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/logrotate -profile logrotate @{exec_path} flags=(attach_disconnected, complain) { +profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -71,16 +71,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, + / r, /var/log{,.hdd}/ r, /var/log{,.hdd}/** rw, - # Needed to remove the following error: - # logrotate[]: error: could not change directory to '.' - / r, + @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - profile systemctl flags=(attach_disconnected, complain) { + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c7de4c65..33176766 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -7,28 +7,53 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/needrestart -profile needrestart @{exec_path} { +profile needrestart @{exec_path} flags=(attach_disconnected) { include include + include include + include include + capability checkpoint_restore, + capability dac_read_search, capability sys_ptrace, ptrace (read), - @{exec_path} mr, + @{exec_path} mrix, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/who rix, - /usr/share/debconf/frontend rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/locale rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/systemctl rPx, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}bin/who rix, + /{usr/,}lib/needrestart/iucode-scan-versions rPx, + /usr/share/debconf/frontend rix, + /usr/share/needrestart/{,**} r, + /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + + /etc/debconf.conf r, /etc/needrestart/{,**} r, + /etc/needrestart/hook.d/* rix, + /etc/needrestart/restart.d/* rix, + /etc/shadow r, - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/stat r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/cgroup r, + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, /dev/ r, /dev/**/ r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index ce534bde..e0a141ea 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,6 +12,8 @@ profile spice-vdagent @{exec_path} { include include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 55251fee..04bfaab9 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -10,7 +10,6 @@ include profile sysctl @{exec_path} { include - capability mac_admin, capability net_admin, capability sys_admin, capability sys_resource, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index c256bc06..3647063b 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -19,6 +19,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}lib/ r, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}lib/apt/apt-helper rix, From e9496546141039abe5810a7a1c32a637b34012c9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 22:57:29 +0100 Subject: [PATCH 035/165] feat(profiles): dbus abstactions and related rules. --- apparmor.d/groups/apt/apt | 1 + .../groups/apt/unattended-upgrade-shutdown | 1 + apparmor.d/groups/bus/ibus-daemon | 3 ++- apparmor.d/groups/bus/ibus-engine-simple | 3 +-- apparmor.d/groups/bus/ibus-extension-gtk3 | 7 +++--- apparmor.d/groups/bus/ibus-memconf | 5 +++-- apparmor.d/groups/bus/ibus-portal | 4 ++-- apparmor.d/groups/bus/ibus-x11 | 9 ++++++-- .../groups/freedesktop/at-spi2-registryd | 1 + apparmor.d/groups/freedesktop/colord-sane | 1 + apparmor.d/groups/freedesktop/dconf-service | 4 +--- apparmor.d/groups/freedesktop/pipewire | 1 + .../groups/freedesktop/polkit-agent-helper | 1 + .../groups/freedesktop/xdg-desktop-portal | 1 + .../freedesktop/xdg-desktop-portal-gnome | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gtk | 3 +++ .../groups/freedesktop/xdg-permission-store | 1 + .../gnome/evolution-addressbook-factory | 2 ++ .../groups/gnome/evolution-alarm-notify | 2 ++ .../groups/gnome/evolution-calendar-factory | 2 ++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gdm-wayland-session | 1 + apparmor.d/groups/gnome/gjs-console | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 + .../groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/goa-daemon | 2 ++ apparmor.d/groups/gnome/goa-identity-service | 1 + apparmor.d/groups/gnome/gsd-a11y-settings | 1 + apparmor.d/groups/gnome/gsd-color | 3 +++ apparmor.d/groups/gnome/gsd-datetime | 1 + .../groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-keyboard | 3 +++ apparmor.d/groups/gnome/gsd-media-keys | 6 ++--- apparmor.d/groups/gnome/gsd-power | 5 +++-- .../groups/gnome/gsd-print-notifications | 1 + apparmor.d/groups/gnome/gsd-printer | 1 + apparmor.d/groups/gnome/gsd-rfkill | 1 + apparmor.d/groups/gnome/gsd-screensaver-proxy | 1 + apparmor.d/groups/gnome/gsd-sharing | 2 ++ apparmor.d/groups/gnome/gsd-smartcard | 1 + apparmor.d/groups/gnome/gsd-sound | 1 + apparmor.d/groups/gnome/gsd-wacom | 3 +++ apparmor.d/groups/gnome/gsd-xsettings | 8 ++++--- apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/tracker-miner | 1 + .../groups/gvfs/gvfs-afc-volume-monitor | 1 + .../groups/gvfs/gvfs-goa-volume-monitor | 1 + .../groups/gvfs/gvfs-gphoto2-volume-monitor | 1 + .../groups/gvfs/gvfs-mtp-volume-monitor | 1 + .../groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 5 +++-- apparmor.d/groups/gvfs/gvfsd-metadata | 2 ++ apparmor.d/groups/gvfs/gvfsd-trash | 1 + apparmor.d/groups/network/networkd-dispatcher | 1 + apparmor.d/groups/ssh/sshd | 20 +---------------- apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-s-z/spice-vdagent | 2 ++ apparmor.d/profiles-s-z/su | 22 +------------------ 62 files changed, 101 insertions(+), 66 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index cddabf04..7e0c09b6 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -11,6 +11,7 @@ include profile apt @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index d93d7ea5..b6815bd2 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 253deed0..baa8420c 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/ibus-daemon profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include signal (receive) set=(usr1) peer=gnome-shell, @@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 39025957..eacefcd1 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=term peer=ibus-daemon, @@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 23f43557..ae392bd4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -10,10 +10,12 @@ include @{exec_path} += @{libexec}/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} { include + include include include include include + include include signal (receive) set=term peer=ibus-daemon, @@ -35,11 +37,10 @@ profile ibus-extension-gtk3 @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index e13dc99c..29c689e9 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -9,14 +9,15 @@ include @{exec_path} = @{libexec}/ibus-memconf profile ibus-memconf @{exec_path} { include + include include @{exec_path} mr, + /etc/machine-id r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index ba452812..2438a72a 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,6 +10,8 @@ include @{exec_path} += @{libexec}/ibus-portal profile ibus-portal @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, - owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index b36b22cf..159806e3 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -18,16 +18,21 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + @{exec_path} mr, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 46dc955d..63fbbd70 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index ed183ba5..1ce827e2 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/colord-sane profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 4782267f..b44496f7 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -9,9 +9,7 @@ include @{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - - # Needed? - deny capability sys_nice, + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 2eea607f..76220f9f 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e4d804aa..e04c0259 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e366fd26..9fd68336 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6b177afb..22f60b38 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include @@ -31,6 +32,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 99622476..2e94f0ff 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -31,7 +32,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, owner @{PROC}/@{uid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index d8dce5fd..fd496df8 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a036ee7e..bc313353 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index e1e49b08..0a7c3adf 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include include include @@ -23,6 +24,7 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 40661e7c..132540ad 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index e488818b..61ab2e0b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-source-registry profile evolution-source-registry @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 57c084d5..b07fe0e9 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7af35a3d..1d385bb4 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 564dba30..030e1214 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include @@ -36,7 +37,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 65513850..3f499354 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 44844ad3..4101886e 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-remote-desktop-daemon profile gnome-remote-desktop-daemon @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 78fee1df..91743684 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 005072d5..b50bfcb6 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-shell-calendar-server profile gnome-shell-calendar-server @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 684080be..9a30738f 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 6a728d63..c7b98a84 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -10,6 +10,7 @@ include profile goa-identity-service @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 8be54615..a1388d9f 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index c83666a2..3e3de47c 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -35,9 +36,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index e7d51d5b..41df5db4 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index ccec1b6a..f1c5d57b 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index d9ede44b..e5ce47c2 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 216a23cb..6a2037a2 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,9 +32,11 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 310336b2..96288a87 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -30,9 +31,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, @@ -43,9 +41,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c674d1e5..41f28908 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -28,15 +29,15 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index de6c3a28..aa62b6f5 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index eccc4180..15590b73 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index a44ecbbe..3bb20459 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b6058e22..b0d8a552 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7cada0c7..5b20cc4f 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index fca97800..31e0cf77 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 83a7520c..e64fbb8b 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,6 +10,7 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 8585d792..c723369b 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,9 +29,11 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2ac7d10b..d3f6ec90 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -49,13 +50,14 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - - owner @{run}/systemd/users/@{uid}/ r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad4d7a0..6c48c596 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index dd45b726..7846a464 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 5373623e..1baa4eda 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-afc-volume-monitor profile gvfs-afc-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1eaa0116..d55fa7de 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-goa-volume-monitor profile gvfs-goa-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 88864385..b5844365 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor profile gvfs-gphoto2-volume-monitor @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 94978f25..1163dd54 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-mtp-volume-monitor profile gvfs-mtp-volume-monitor @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0f32b016..59db2bb3 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 62248a59..d4a8184e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 3a0e7d74..fb46ee85 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 196a07e8..906aff69 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 0572caee..ed8fe89c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -15,6 +15,7 @@ profile networkd-dispatcher @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ r, /{usr/,}bin/networkctl rPx, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 8b492322..a1937b01 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -19,6 +19,7 @@ include profile sshd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -98,24 +99,5 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - # DBus - @{run}/dbus/system_bus_socket rw, - - dbus send - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus send - bus=system - path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login1), - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 127a364c..6c75dc05 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/fwupdmgr profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index e0a141ea..50344f35 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,6 +10,7 @@ include profile spice-vdagent @{exec_path} { include include + include include unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -21,6 +22,7 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 24654d78..b7ea89fc 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -11,6 +11,7 @@ profile su @{exec_path} { include include include + include include include # include @@ -54,28 +55,7 @@ profile su @{exec_path} { @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - # pseudo-terminal - capability chown, - /dev/{,pts/}ptmx rw, - - @{run}/dbus/system_bus_socket rw, - - dbus (send) - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus (send) - bus=system - path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CreateSession,ReleaseSession}, - - unix (bind) type=dgram, - /dev/tty[0-9]* rw, include if exists From 583d7a15f0af96cbe9596ab3c771dd75b3c1486e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 23:06:14 +0100 Subject: [PATCH 036/165] feat(profiles): add dbus rules for some common profiles. --- apparmor.d/groups/freedesktop/accounts-daemon | 27 ++++++++++ apparmor.d/groups/freedesktop/colord | 18 +++++-- apparmor.d/groups/freedesktop/colord-sane | 11 +++++ .../groups/freedesktop/pipewire-media-session | 10 ++++ apparmor.d/groups/freedesktop/polkitd | 19 +++++++ apparmor.d/groups/freedesktop/upowerd | 14 ++++++ .../groups/freedesktop/xdg-desktop-portal | 16 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 8 +++ .../groups/freedesktop/xdg-desktop-portal-gtk | 8 +++ .../gnome/evolution-addressbook-factory | 16 ++++++ .../groups/gnome/evolution-calendar-factory | 4 ++ apparmor.d/groups/gnome/gdm | 24 +++++++++ apparmor.d/groups/gnome/gdm-session-worker | 16 ++++++ apparmor.d/groups/gnome/gdm-wayland-session | 4 ++ apparmor.d/groups/gnome/gnome-extension-ding | 16 ++++++ apparmor.d/groups/gnome/gnome-session-binary | 16 ++++++ apparmor.d/groups/gnome/gnome-shell | 49 +++++++++++++++++++ apparmor.d/groups/gnome/goa-daemon | 4 ++ apparmor.d/groups/gnome/gsd-color | 12 +++++ .../groups/gnome/gsd-disk-utility-notify | 8 +++ apparmor.d/groups/gnome/gsd-media-keys | 16 ++++++ apparmor.d/groups/gnome/gsd-power | 27 ++++++++++ .../groups/gnome/gsd-print-notifications | 12 +++++ apparmor.d/groups/gnome/gsd-printer | 10 ++++ apparmor.d/groups/gnome/gsd-rfkill | 20 ++++++++ apparmor.d/groups/gnome/gsd-sharing | 4 ++ apparmor.d/groups/gnome/gsd-xsettings | 8 +++ apparmor.d/groups/gnome/nautilus | 4 ++ apparmor.d/groups/gnome/tracker-miner | 4 ++ .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 ++ apparmor.d/groups/network/NetworkManager | 43 ++++++++++++++++ apparmor.d/groups/systemd/systemd-hostnamed | 3 ++ apparmor.d/groups/systemd/systemd-localed | 3 ++ apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-timedated | 3 ++ .../groups/systemd/systemd-user-runtime-dir | 5 ++ apparmor.d/groups/ubuntu/packagekitd | 30 ++++++++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 19 +++++++ apparmor.d/profiles-m-r/rtkit-daemon | 19 +++++++ apparmor.d/profiles-s-z/spice-vdagentd | 6 +++ apparmor.d/profiles-s-z/switcheroo-control | 11 +++++ apparmor.d/profiles-s-z/udisksd | 26 ++++++++++ apparmor.d/profiles-s-z/wpa-supplicant | 11 ++++- 43 files changed, 584 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 04fc326b..04be8d6f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,6 +23,33 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,Changed}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={Changed,SetLanguage}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={FindUserByName,ListCachedUsers}, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.Accounts, + @{exec_path} mr, /usr/share/accountsservice/{,**} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 1aaf33ea..da7c5a33 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,12 +17,24 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send - bus=system - path=/org/freedesktop/ColorManager/devices/xrandr_* + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.{DBus.Properties,ColorManager}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.ColorManager, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 1ce827e2..9223002a 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -16,6 +16,17 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /usr/share/snmp/mibs/{,*} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 180ee969..eca96bdf 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -20,6 +20,16 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit1 + member=MakeThreadRealtime + peer=(name=org.freedesktop.RealtimeKit1), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 982f8f85..323ac40f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,6 +22,25 @@ profile polkitd @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,BeginAuthentication}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.PolicyKit[0-9], + @{exec_path} mr, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f8f7cbfc..d977b692 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus bind bus=system + name=org.freedesktop.UPower, + @{exec_path} mr, /etc/UPower/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9fd68336..cc260c50 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -21,6 +21,22 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 22f60b38..cb2c7337 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -19,6 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 2e94f0ff..1d95d895 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -20,6 +20,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index bc313353..a4ccf153 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -23,6 +23,22 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 132540ad..4172e513 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -23,6 +23,10 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index a3cade38..1358ba23 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -26,6 +26,30 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member={Changed,GetAll,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.{DBus.Properties,Accounts} + member={GetAll,ListCachedUsers,FindUserByName}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login1.Manager + member={ListSeats,ActivateSessionOnSeat,UnlockSession}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser}, + + dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/gnome/DisplayManager/Manager + interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + @{exec_path} mr, /{usr/,}{s,}prime-switch rPx, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 24b8902b..a3bf855e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,6 +41,22 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface={org.freedesktop.DBus.Properties,org.freedesktop.Accounts} + member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index b07fe0e9..be6fc046 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -21,6 +21,10 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 030e1214..a3ddf738 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,22 @@ profile gnome-extension-ding @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ListNames,ListActivatableNames}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspec, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 91743684..f9d5260e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -27,6 +27,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanPowerOff,GetSession}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=SetIdleHint, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 07657a3b..2b77f2dc 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -43,6 +43,55 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member={ReleaseDevice,TakeControl,TakeDevice,PauseDevice}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,RegisterAuthenticationAgent,Changed}, + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterSession + peer=(name=org.gnome.DisplayManager), + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanSuspend,CanRebootToBootLoaderMenu,GetSession,Inhibit}, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 9a30738f..d181eff2 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,10 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3e3de47c..f5fdbcee 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,6 +18,18 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/ColorManager/devices/xrandr_* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,GetDevices,CreateDevice}, + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,ProfileAdded}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index f1c5d57b..b2638249 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,6 +12,14 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 96288a87..654541e0 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -21,6 +21,22 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 41f28908..29bcd906 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -21,6 +21,33 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.login[0-9].Session + member=SetBrightness, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index aa62b6f5..98563afd 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -19,6 +19,18 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 15590b73..6f8d0db3 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -15,6 +15,16 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReleaseName, + + dbus bind bus=system + name=com.redhat.NewPrinterNotification, + + dbus bind bus=system + name=com.redhat.PrinterDriversInstaller, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 3bb20459..52d98363 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,26 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 5b20cc4f..dc5c2d99 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,6 +15,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, hup) peer=gdm*, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d3f6ec90..0b9f3fa8 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -26,6 +26,14 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={SetInputSources,Changed,GetAll}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=FindUserByName, + @{exec_path} mr, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 6c48c596..045b12e5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -17,6 +17,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7846a464..57435eb6 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -18,6 +18,10 @@ profile tracker-miner @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 59db2bb3..dc3aff19 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -27,6 +27,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus.*,UDisks2.*} + peer=(label=udisksd), + @{exec_path} mr, /{usr/,}bin/lsof rix, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e68a51fa..6dd5d195 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -35,6 +35,49 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.{DBus.Properties,NetworkManager*}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,CheckAuthorization}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded, + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager + member=SetLink*, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit}, + + dbus bind bus=system + name=org.freedesktop.NetworkManager, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4a830450..8cc0dc4f 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -23,6 +23,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={Get,GetAll}, + dbus bind bus=system + name=org.freedesktop.hostname[0-9], + @{exec_path} mr, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index efb53cf1..2ebf2685 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -25,6 +25,9 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus bind bus=system + name=org.freedesktop.locale[0-9], + @{exec_path} mr, /usr/share/systemd/language-fallback-map r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8cedc840..3224e803 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -44,7 +44,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { member=CheckAuthorization, dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** - interface=org.freedesktop.systemd[0-9]/.Scope + interface=org.freedesktop.systemd[0-9].Scope member=Abandon, dbus receive bus=system path=/org/freedesktop/systemd[0-9] diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 4f28e457..6e898528 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,9 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, + dbus bind bus=system + name=org.freedesktop.timedate[0-9], + @{exec_path} mr, /dev/rtc[0-9] r, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index a4d0a7a0..c5c263a1 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -22,6 +22,11 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index c8e0be36..dfe1983b 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -17,6 +17,36 @@ profile packagekitd @{exec_path} { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.*,PackageKit}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus bind bus=system + name=org.freedesktop.PackageKit, + @{exec_path} mr, /{usr/,}bin/dpkg rPx, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index ee85a3b0..1cbe45a1 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -17,6 +17,25 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus bind bus=system + name=net.hadess.PowerProfiles, + @{exec_path} mr, /var/lib/power-profiles-daemon/{,**} rw, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ef92160f..f6ab963e 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -21,6 +21,25 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThreadRealtimeWithPID, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.RealtimeKit[0-9], + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index ee7dac59..899c68c7 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,6 +13,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, + dbus receive + bus=system + path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=Unlock, + @{exec_path} mr, owner @{run}/spice-vdagentd/spice-vdagent-sock r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 2f142a08..8bd1539a 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -15,6 +15,17 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus receive bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=net.hadess.SwitcherooControl, + @{exec_path} mr, @{run}/udev/data/+drm:* r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b46cd19b..d2019666 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -26,6 +26,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus*,UDisks2*}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,GetConnectionUnixUser}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.UDisks2, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ab75f5d5..eb79c593 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,6 +25,13 @@ profile wpa-supplicant @{exec_path} { network packet raw, network packet dgram, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=fi.w1.wpa_supplicant[0-9], + @{exec_path} mr, @{HOME}/.cat_installer/*.pem r, From 5d45b8e7a713fa84f507f4882f99b703a09eda66 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jun 2022 21:55:55 +0100 Subject: [PATCH 037/165] feat(profiles): add the dconf-write abstraction. --- apparmor.d/abstractions/dconf-write | 15 +++++++++++++++ apparmor.d/groups/apps/atom | 5 +---- apparmor.d/groups/apps/code | 5 +---- apparmor.d/groups/apps/freetube | 5 +---- apparmor.d/groups/apps/thunderbird | 5 +---- apparmor.d/groups/apt/reportbug | 5 +---- apparmor.d/groups/browsers/brave | 5 +---- apparmor.d/groups/browsers/chrome-gnome-shell | 5 +---- apparmor.d/groups/browsers/chromium-chromium | 5 +---- apparmor.d/groups/browsers/firefox | 5 +---- apparmor.d/groups/browsers/firefox-crashreporter | 5 +---- apparmor.d/groups/browsers/opera | 5 +---- apparmor.d/groups/bus/dbus-run-session | 4 +--- apparmor.d/groups/bus/ibus-dconf | 4 +--- apparmor.d/groups/bus/ibus-extension-gtk3 | 4 +--- .../groups/freedesktop/at-spi-bus-launcher | 4 +--- apparmor.d/groups/freedesktop/dconf | 5 +---- apparmor.d/groups/freedesktop/dconf-editor | 16 ++++++---------- apparmor.d/groups/freedesktop/dconf-service | 4 +--- apparmor.d/groups/freedesktop/pulseaudio | 7 +------ apparmor.d/groups/freedesktop/xdg-desktop-portal | 4 +--- .../groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- .../groups/freedesktop/xdg-desktop-portal-gtk | 3 +-- .../groups/gnome/evolution-addressbook-factory | 5 +---- apparmor.d/groups/gnome/evolution-alarm-notify | 4 +--- .../groups/gnome/evolution-calendar-factory | 5 +---- .../groups/gnome/evolution-source-registry | 5 +---- apparmor.d/groups/gnome/gdm-wayland-session | 4 +--- apparmor.d/groups/gnome/gdm-xsession | 5 +---- apparmor.d/groups/gnome/gjs-console | 4 +--- .../gnome/gnome-calculator-search-provider | 4 +--- apparmor.d/groups/gnome/gnome-calendar | 4 +--- apparmor.d/groups/gnome/gnome-contacts | 5 +---- .../groups/gnome/gnome-contacts-search-provider | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 4 +--- .../groups/gnome/gnome-control-center-goa-helper | 3 +-- .../gnome/gnome-control-center-print-renderer | 4 +--- .../gnome/gnome-control-center-search-provider | 6 ++---- apparmor.d/groups/gnome/gnome-disk-image-mounter | 5 +---- apparmor.d/groups/gnome/gnome-disks | 5 +---- apparmor.d/groups/gnome/gnome-extension-ding | 4 +--- apparmor.d/groups/gnome/gnome-music | 4 +--- .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 4 +--- apparmor.d/groups/gnome/gnome-shell | 4 +--- .../groups/gnome/gnome-shell-calendar-server | 5 +---- apparmor.d/groups/gnome/gnome-terminal-server | 4 +--- apparmor.d/groups/gnome/gnome-tweaks | 5 +---- apparmor.d/groups/gnome/goa-daemon | 5 +---- apparmor.d/groups/gnome/gsd-a11y-settings | 5 +---- apparmor.d/groups/gnome/gsd-color | 4 +--- apparmor.d/groups/gnome/gsd-datetime | 5 +---- apparmor.d/groups/gnome/gsd-housekeeping | 5 +---- apparmor.d/groups/gnome/gsd-keyboard | 4 +--- apparmor.d/groups/gnome/gsd-media-keys | 4 +--- apparmor.d/groups/gnome/gsd-power | 4 +--- apparmor.d/groups/gnome/gsd-sharing | 5 +---- apparmor.d/groups/gnome/gsd-smartcard | 5 +---- apparmor.d/groups/gnome/gsd-sound | 5 +---- apparmor.d/groups/gnome/gsd-usb-protection | 5 +---- apparmor.d/groups/gnome/gsd-wacom | 4 +--- apparmor.d/groups/gnome/gsd-xsettings | 4 +--- apparmor.d/groups/gnome/nautilus | 5 +---- apparmor.d/groups/gnome/seahorse | 5 +---- apparmor.d/groups/gnome/tracker-extract | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- .../groups/gvfs/gvfs-udisks2-volume-monitor | 5 +---- apparmor.d/groups/gvfs/gvfsd-dav | 4 +--- apparmor.d/groups/gvfs/gvfsd-ftp | 5 +---- apparmor.d/groups/gvfs/gvfsd-http | 4 +--- apparmor.d/groups/gvfs/gvfsd-mtp | 4 +--- apparmor.d/groups/gvfs/gvfsd-network | 4 +--- apparmor.d/groups/gvfs/gvfsd-smb | 4 +--- apparmor.d/groups/gvfs/gvfsd-smb-browse | 4 +--- apparmor.d/groups/ubuntu/check-new-release-gtk | 3 +-- apparmor.d/groups/ubuntu/livepatch-notification | 4 +--- .../groups/ubuntu/ubuntu-advantage-notification | 4 +--- apparmor.d/groups/ubuntu/update-notifier | 4 +--- apparmor.d/profiles-a-f/arduino | 4 +--- apparmor.d/profiles-a-f/atril | 5 +---- apparmor.d/profiles-a-f/blueman | 5 +---- apparmor.d/profiles-a-f/cawbird | 6 +----- apparmor.d/profiles-a-f/czkawka-gui | 6 +----- apparmor.d/profiles-a-f/deltachat-desktop | 5 +---- apparmor.d/profiles-a-f/dino-im | 5 +---- apparmor.d/profiles-a-f/engrampa | 5 +---- apparmor.d/profiles-a-f/evince | 4 +--- apparmor.d/profiles-a-f/font-manager | 5 +---- apparmor.d/profiles-a-f/fwupdmgr | 5 +---- apparmor.d/profiles-g-l/gajim | 5 +---- apparmor.d/profiles-g-l/gpartedbin | 5 +---- apparmor.d/profiles-g-l/hypnotix | 6 +----- apparmor.d/profiles-g-l/jami-gnome | 5 +---- apparmor.d/profiles-m-r/mediainfo-gui | 6 +----- apparmor.d/profiles-m-r/mission-control | 3 +-- apparmor.d/profiles-m-r/obconf | 5 +---- apparmor.d/profiles-m-r/pulseeffects | 5 +---- apparmor.d/profiles-m-r/qbittorrent | 4 +--- apparmor.d/profiles-s-z/system-config-printer | 4 +--- apparmor.d/profiles-s-z/udiskie | 5 +---- apparmor.d/profiles-s-z/utox | 6 +----- apparmor.d/profiles-s-z/vidcutter | 5 +---- apparmor.d/profiles-s-z/virt-manager | 4 +--- apparmor.d/profiles-s-z/xarchiver | 5 +---- 104 files changed, 124 insertions(+), 371 deletions(-) create mode 100644 apparmor.d/abstractions/dconf-write diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write new file mode 100644 index 00000000..348eb6c9 --- /dev/null +++ b/apparmor.d/abstractions/dconf-write @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Permissions for querying dconf settings with write access; use the dconf +# abstraction first, and dconf-write only for specific application's profile. + + /etc/dconf/** r, + + owner @{user_config_dirs}/dconf/user r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 13afe288..65d29290 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom profile atom @{exec_path} { include + include include include include @@ -94,10 +95,6 @@ profile atom @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or atom gets crash with the following error: diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index e2bd477c..0ece93b0 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code profile code @{exec_path} { include + include include include include @@ -71,10 +72,6 @@ profile code @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or code gets crash with the following error: diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 2cafcf3f..17512fec 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -15,6 +15,7 @@ include profile freetube @{exec_path} { include include + include include include include @@ -67,10 +68,6 @@ profile freetube @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs} r, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 93e4ec2f..020fc8a2 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -18,6 +18,7 @@ include profile thunderbird @{exec_path} { include include + include include include include @@ -91,10 +92,6 @@ profile thunderbird @{exec_path} { owner @{HOME}/Mail/ rw, owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Fix error in libglib while saving files as /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ac196d38..ad0867c9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/reportbug profile reportbug @{exec_path} { include + include include include include @@ -63,10 +64,6 @@ profile reportbug @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/gpg rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # For sending additional information /etc/** r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 00541513..870bbd13 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,6 +14,7 @@ include profile brave @{exec_path} { include include + include include include include @@ -105,10 +106,6 @@ profile brave @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or Brave crash with the following error: diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 83947a43..2c1ac4ef 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/chrome-gnome-shell profile chrome-gnome-shell @{exec_path} { include - include + include include include include @@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index d4c4e6bf..1b98b251 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -106,9 +106,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/logins.json r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, owner /tmp/scoped_dir*/{,**} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3915d065..eee27864 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/tmp/ r, /tmp/ r, owner /tmp/* rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 68105d12..1359d53f 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -12,7 +12,7 @@ include @{exec_path} = /{usr/,}lib/firefox/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /tmp/ r, /var/tmp/ r, owner /tmp/[0-9a-f]*.{dmp,extra} rw, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 9727e24c..01e1bf9b 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -13,6 +13,7 @@ include @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} profile opera @{exec_path} { include + include include include include @@ -83,10 +84,6 @@ profile opera @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or opera crashes with the following error: diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 80b7e6f1..4becf5e7 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/dbus-run-session profile dbus-run-session @{exec_path} { include - include + include signal (receive) set=(term, kill, hup) peer=gdm*, signal (send) set=term peer=dbus-daemon, @@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/dconf/profile/gdm r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.cache/dconf/ rw, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 131ec117..9e3ebd25 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -10,7 +10,7 @@ include @{exec_path} += @{libexec}/ibus-dconf profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/user rw, /var/lib/gdm/.config/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index ae392bd4..b1166f43 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -11,7 +11,7 @@ include profile ibus-extension-gtk3 @{exec_path} { include include - include + include include include include @@ -42,8 +42,6 @@ profile ibus-extension-gtk3 @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, include if exists diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 34134f6b..41fbc9ef 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -12,7 +12,7 @@ include profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include include - include + include include signal (receive) set=(term hup kill) peer=dbus-daemon, @@ -35,8 +35,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner @{run}/user/@{uid}/at-spi/{,bus} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/lightdm/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 16212294..536080df 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,17 +9,14 @@ include @{exec_path} = /{usr/,}bin/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, @{exec_path} mr, - /etc/dconf/{,**} r, /etc/dconf/db/** rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index d219dc27..5a8c60e9 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,15 @@ include @{exec_path} = /{usr/,}bin/dconf-editor profile dconf-editor @{exec_path} { include - include - include + include include + include include - include + include @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + /usr/share/glib-2.0/schemas/{,*} r, # When GSETTINGS_BACKEND=keyfile owner @{user_config_dirs}/glib-2.0/ rw, @@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} { owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, - /usr/share/glib-2.0/schemas/{,*} r, - owner @{HOME}/.Xauthority r, - - # file_inherit owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index b44496f7..a0a3e09d 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,15 +10,13 @@ include profile dconf-service @{exec_path} flags=(attach_disconnected) { include include + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 1025fc33..f1d9cac6 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,6 +14,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -114,18 +115,12 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, - owner @{HOME}/.Xauthority r, - owner @{HOME}/.ICEauthority r, - owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/pulse/{,*} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cc260c50..f83f6ea0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -11,7 +11,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -57,8 +57,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/applications/{**,} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index cb2c7337..3b1e4a55 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include - include + include include include include @@ -39,7 +39,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1d95d895..27d663d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + include include include include @@ -41,7 +41,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a4ccf153..57972147 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -12,7 +12,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include @@ -47,9 +47,6 @@ profile evolution-addressbook-factory @{exec_path} { owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 0a7c3adf..0a246ada 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -10,7 +10,7 @@ include profile evolution-alarm-notify @{exec_path} { include include - include + include include include include @@ -25,8 +25,6 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/zoneinfo-icu/{,**} r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 4172e513..7576ba23 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,7 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include - include + include include include include @@ -37,9 +37,6 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 61ab2e0b..0280ccf3 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include @@ -30,9 +30,6 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index be6fc046..1805b763 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -12,7 +12,7 @@ profile gdm-wayland-session @{exec_path} { include include include - include + include include include @@ -62,8 +62,6 @@ profile gdm-wayland-session @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/gdm/custom.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 02e9834f..5f3e7745 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,7 +11,7 @@ profile gdm-xsession @{exec_path} { include include include - include + include include @{exec_path} mr, @@ -34,9 +34,6 @@ profile gdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 1d385bb4..a77327c0 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -10,7 +10,7 @@ include profile gjs-console @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -46,8 +46,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 00a762b6..f34ebb82 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include - include + include include include @@ -22,8 +22,6 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 8af7526e..7274e317 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-calendar profile gnome-calendar @{exec_path} { include - include + include include include include @@ -26,8 +26,6 @@ profile gnome-calendar @{exec_path} { /usr/share/libgweather/Locations.xml r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index ed46dfb1..0ddcf07b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-contacts profile gnome-contacts @{exec_path} { include - include + include include include include @@ -32,8 +32,5 @@ profile gnome-contacts @{exec_path} { owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index a926614e..cb8a473a 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include - include + include include include @@ -22,9 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} { owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 435d438f..2b498d8b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,7 +10,7 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -78,8 +78,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index ebfb36aa..1c02e938 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include include @@ -43,7 +43,6 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 4da0a80b..b109d9c4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include + include include include include @@ -33,8 +33,6 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 692de63e..247eeeac 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include - include + include include include include @@ -18,9 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index cccd460e..e034e54a 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include + include include include include @@ -24,9 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mountinfo r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index a1b86d6e..204e198d 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disks profile gnome-disks @{exec_path} { include - include + include include @{exec_path} mr, @@ -17,9 +17,6 @@ profile gnome-disks @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index a3ddf738..1eab85dc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -11,7 +11,7 @@ profile gnome-extension-ding @{exec_path} { include include include - include + include include include include @@ -54,8 +54,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home-*.log r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2d291652..2fe0625a 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,7 +10,7 @@ include profile gnome-music @{exec_path} { include include - include + include include include include @@ -48,8 +48,6 @@ profile gnome-music @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 4101886e..fb3abe8d 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -10,6 +10,7 @@ include profile gnome-remote-desktop-daemon @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f9d5260e..bb3dabec 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,7 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -119,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/session_migration-ubuntu r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2b77f2dc..3633a210 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,7 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -171,8 +171,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/vlc/**/*.jpg r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index b50bfcb6..560fbeb9 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -10,7 +10,7 @@ include profile gnome-shell-calendar-server @{exec_path} { include include - include + include include @{exec_path} mr, @@ -20,8 +20,5 @@ profile gnome-shell-calendar-server @{exec_path} { /etc/timezone r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 6b47c216..51cd8765 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,7 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include + include include include include @@ -32,8 +32,6 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 4ca8818b..cfe4e9d6 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -10,7 +10,7 @@ include profile gnome-tweaks @{exec_path} { include include - include + include include include include @@ -37,9 +37,6 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index d181eff2..6236a78c 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,7 @@ profile goa-daemon @{exec_path} { include include include - include + include include include include @@ -35,8 +35,5 @@ profile goa-daemon @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index a1388d9f..b6a01c29 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -20,9 +20,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index f5fdbcee..223e6243 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -11,7 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -49,8 +49,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/edid-*.icc rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 41df5db4..119998b7 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -20,9 +20,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index e5ce47c2..c1508ef7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -28,9 +28,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 6a2037a2..12ed0972 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -11,7 +11,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -33,8 +33,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-settings-daemon/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 654541e0..e6c67b24 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -12,7 +12,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -58,8 +58,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/cookie rk, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 29bcd906..cd1a4826 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,7 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -61,8 +61,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index dc5c2d99..9ccb637f 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -26,9 +26,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 31e0cf77..c542accb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -21,9 +21,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index e64fbb8b..9d604545 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -11,7 +11,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,9 +29,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index f461d904..4ab3a39e 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -9,14 +9,11 @@ include @{exec_path} = @{libexec}/gsd-usb-protection profile gsd-usb-protection @{exec_path} { include - include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index c723369b..24dd5a3c 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,7 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -30,8 +30,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 0b9f3fa8..16aeb9ab 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -11,7 +11,7 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include include include @@ -60,8 +60,6 @@ profile gsd-xsettings @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 045b12e5..c612512d 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -11,7 +11,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -50,9 +50,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/nautilus/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index a9a36e9b..7e120cf6 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include - include + include include include include @@ -25,9 +25,6 @@ profile seahorse @{exec_path} { # Seahorse and SSH keys owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 070db186..2deea030 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/tracker-extract-3 profile tracker-extract @{exec_path} { include - include + include include include include @@ -48,8 +48,6 @@ profile tracker-extract @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/** r, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/udev/data/c235:* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 57435eb6..fe296d94 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,7 @@ profile tracker-miner @{exec_path} { include include include - include + include include include include @@ -54,8 +54,6 @@ profile tracker-miner @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index dc3aff19..e09eb006 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -13,7 +13,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { include include include - include + include include include include @@ -48,9 +48,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{MOUNTS}/**/ r, owner @{HOME}/**/ r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 6238d434..8b46a207 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-dav profile gvfsd-dav @{exec_path} { include - include + include include include include @@ -28,8 +28,6 @@ profile gvfsd-dav @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index a700e838..8fca7c25 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include + include include include @@ -25,8 +25,5 @@ profile gvfsd-ftp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index bc61b9de..dfdbdd96 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-http profile gvfsd-http @{exec_path} { include - include + include include include include @@ -27,8 +27,6 @@ profile gvfsd-http @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d5483993..2e83b079 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include + include include include include @@ -26,8 +26,6 @@ profile gvfsd-mtp @{exec_path} { owner @{HOME}/{,**} rw, owner @{MOUNTS}/*/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index df617a47..c57d71de 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,14 +11,12 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include - include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 989a9ad2..10fd9199 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb profile gvfsd-smb @{exec_path} { include - include + include include network netlink raw, @@ -26,8 +26,6 @@ profile gvfsd-smb @{exec_path} { /etc/samba/smb.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 6ec204d0..b289ed55 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include - include + include include network netlink raw, @@ -27,8 +27,6 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, owner @{run}/samba/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 79f3b2f9..079a6fa4 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -11,7 +11,7 @@ profile check-new-release-gtk @{exec_path} { include include include - include + include include include include @@ -41,7 +41,6 @@ profile check-new-release-gtk @{exec_path} { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 863cccfe..ece827ff 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include + include include @{exec_path} mr, @@ -20,8 +20,6 @@ profile livepatch-notification @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index d8f01e8e..d3424c64 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -10,7 +10,7 @@ include profile ubuntu-advantage-notification @{exec_path} { include include - include + include include @{exec_path} mr, @@ -20,8 +20,6 @@ profile ubuntu-advantage-notification @{exec_path} { /usr/share/X11/xkb/{,**} r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a17b3a6a..4ce92cf6 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -10,7 +10,7 @@ include profile update-notifier @{exec_path} { include include - include + include include include include @@ -58,8 +58,6 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index a7af4d7c..60fe89ff 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -10,6 +10,7 @@ include profile arduino @{exec_path} { include include + include include include include @@ -51,9 +52,6 @@ profile arduino @{exec_path} { owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, - include - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 3eb4b452..bc7b93e8 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -18,6 +18,7 @@ include @{exec_path} = /{usr/,}bin/atril{,-*} profile atril @{exec_path} { include + include include include include @@ -52,10 +53,6 @@ profile atril @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index d3527585..f0e4c92f 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/blueman-* profile blueman @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -63,10 +64,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/cmdline r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 7bef336b..3696fd26 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/cawbird profile cawbird @{exec_path} { include + include include include include @@ -42,11 +43,6 @@ profile cawbird @{exec_path} { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - # This is needed as cawbird stores its settings in the dconf database. - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index fe89bcb7..774208fb 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/czkawka_gui profile czkawka-gui @{exec_path} { include + include include include include @@ -38,11 +39,6 @@ profile czkawka-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index ce8e9646..e63a799a 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -16,6 +16,7 @@ include profile deltachat-desktop @{exec_path} { include include + include include include include @@ -46,10 +47,6 @@ profile deltachat-desktop @{exec_path} { owner @{HOME}/.config/DeltaChat/ rw, owner @{HOME}/.config/DeltaChat/** rwk, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /tmp/[0-9a-f]*/ rw, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 692ba3b2..b3dcf12c 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dino-im profile dino-im @{exec_path} { include + include include include include @@ -29,10 +30,6 @@ profile dino-im @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 33acd41f..6d73f41a 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/engrampa profile engrampa @{exec_path} { include + include include include include @@ -43,10 +44,6 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/engrampa/ rw, / r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 01509248..6f6b9e29 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced profile evince @{exec_path} { include - include + include include include include @@ -33,8 +33,6 @@ profile evince @{exec_path} { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /tmp/evince-*/{,**} rw, /tmp/gtkprint* rw, /tmp/*.pdf r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index a215d61a..bda09990 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/font-manager profile font-manager @{exec_path} { include + include include include include @@ -59,10 +60,6 @@ profile font-manager @{exec_path} { @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/{,**} r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Silencer owner /var/cache/fontconfig/ w, deny /var/cache/fontconfig/ w, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6c75dc05..c3adcd6e 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -11,7 +11,7 @@ include profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include @@ -38,9 +38,6 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 8fe3789b..24f97a78 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gajim profile gajim @{exec_path} { include + include include include include @@ -92,10 +93,6 @@ profile gajim @{exec_path} { /tmp/ r, owner /tmp/* rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Silencer deny /usr/share/gajim/** w, deny /usr/lib/python3/dist-packages/** w, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 6db45327..42e6f0ca 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gpartedbin profile gpartedbin @{exec_path} { include + include include include include @@ -130,10 +131,6 @@ profile gpartedbin @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, # For fsck of the btrfs filesystem diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 5bc7cdfc..e913cee3 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -15,6 +15,7 @@ include @{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py profile hypnotix @{exec_path} { include + include include include include @@ -62,11 +63,6 @@ profile hypnotix @{exec_path} { owner @{MOUNTS}/**/ r, owner /{home,media}/**.@{hypnotix_ext} r, - # To be able to store settings - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/hypnotix/{,**} r, owner @{HOME}/.hypnotix/ rw, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index f94e21e4..1948827e 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/jami-gnome profile jami-gnome @{exec_path} { include + include include include include @@ -40,10 +41,6 @@ profile jami-gnome @{exec_path} { /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ring/{,**} r, diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 21f54328..3337a719 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/mediainfo-gui profile mediainfo-gui @{exec_path} { include + include include include include @@ -56,11 +57,6 @@ profile mediainfo-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 1e528126..d50ad958 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/telepathy/mission-control-5 profile mission-control @{exec_path} { include - include + include network netlink raw, @@ -21,7 +21,6 @@ profile mission-control @{exec_path} { owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, - @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 9ad55666..75d4cbc7 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/obconf profile obconf @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile obconf @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index e2f983bf..b6af6191 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pulseeffects profile pulseeffects @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile pulseeffects @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 0ec27039..96560c7c 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -24,7 +24,7 @@ profile qbittorrent @{exec_path} { include include include - include + include include include include @@ -108,8 +108,6 @@ profile qbittorrent @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, - # dconf write - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/ICEauthority r, # DBus diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 1d798642..0dfade79 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,7 +11,7 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include - include + include include include include @@ -42,8 +42,6 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 593d9923..009a5c1f 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/udiskie profile udiskie @{exec_path} { include + include include include include @@ -37,10 +38,6 @@ profile udiskie @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index a758d8d0..6b7244bd 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/utox profile utox @{exec_path} { include + include include include include @@ -39,11 +40,6 @@ profile utox @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7bc9bd7b..377581d2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/vidcutter profile vidcutter @{exec_path} { include + include include include include @@ -91,10 +92,6 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d197e1a3..b2c1583c 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,7 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -88,8 +88,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, @{run}/udev/data/c51[0-9]:[0-9]* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 64447750..05f7a3db 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/xarchiver profile xarchiver @{exec_path} { include + include include include include @@ -42,10 +43,6 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, From f53550525ec117ca0a688487a3248a498d46f3d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jun 2022 22:45:14 +0100 Subject: [PATCH 038/165] feat(profiles): add the X-strict abstraction. --- apparmor.d/abstractions/X-strict | 30 ++++++++++++++++++++ apparmor.d/groups/freedesktop/pulseaudio | 7 +---- apparmor.d/groups/freedesktop/xrdb | 7 +---- apparmor.d/groups/gnome/gnome-session-binary | 5 +--- apparmor.d/groups/gnome/gnome-shell | 6 +--- 5 files changed, 34 insertions(+), 21 deletions(-) create mode 100644 apparmor.d/abstractions/X-strict diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict new file mode 100644 index 00000000..e92e59f7 --- /dev/null +++ b/apparmor.d/abstractions/X-strict @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # The unix socket to use to connect to the display + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + /tmp/.X11-unix/* rw, + + # Available Xsessions + /usr/share/xsessions/{,*.desktop} r, + + # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, + owner @{run}/user/@{uid}/ICEauthority r, + + # Xauthority files required for X connections, per user + owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/X11/Xauthority r, + owner @{run}/user/@{uid}/xauth_* r, + + # Xwayland + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + + include if exists diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index f1d9cac6..d3788695 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -20,14 +20,12 @@ profile pulseaudio @{exec_path} { include include include + include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), - unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), - network inet stream, network inet6 stream, network netlink raw, @@ -120,9 +118,6 @@ profile pulseaudio @{exec_path} { owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/pulse/{,*} rw, owner @{run}/user/@{uid}/pulse/*.lock k, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 177d3bb8..7f82aaa4 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -10,8 +10,7 @@ include @{exec_path} = /{usr/,}bin/xrdb profile xrdb @{exec_path} { include - - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + include @{exec_path} mr, @@ -21,8 +20,6 @@ profile xrdb @{exec_path} { /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, - owner @{HOME}/.Xauthority r, - /etc/X11/Xresources/x11-common r, # The location of the .Xresources file @@ -35,8 +32,6 @@ profile xrdb @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index bb3dabec..40a7fce9 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -17,6 +17,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, @@ -118,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/systemd/notify w, @@ -129,8 +128,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, - /tmp/.ICE-unix/[0-9]* rw, - @{sys}/devices/**/{vendor,device} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3633a210..70e85dbf 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,6 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, capability sys_ptrace, @@ -40,7 +41,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* @@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - /usr/share/xsessions/{,*.desktop} r, /.flatpak-info r, /etc/fstab r, @@ -170,8 +169,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, @@ -185,7 +182,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner /tmp/.X[0-9]-lock rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, - /tmp/.X11-unix/X[0-9] rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat[0-9]* r, From 80b337bdf4f56703148411243a019cea72e36c24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 12:02:16 +0100 Subject: [PATCH 039/165] revert(profiles): remove tor related profiles. --- apparmor.d/abstractions/tor | 33 ------------------------------ apparmor.d/profiles-s-z/system_tor | 25 ---------------------- 2 files changed, 58 deletions(-) delete mode 100644 apparmor.d/abstractions/tor delete mode 100644 apparmor.d/profiles-s-z/system_tor diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor deleted file mode 100644 index a6719b95..00000000 --- a/apparmor.d/abstractions/tor +++ /dev/null @@ -1,33 +0,0 @@ -# vim:syntax=apparmor - - include - include - include - - network tcp, - network udp, - - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - /usr/bin/tor r, - /usr/sbin/tor r, - - # Needed by obfs4proxy - /proc/sys/net/core/somaxconn r, - - /proc/sys/kernel/random/uuid r, - /sys/devices/system/cpu/ r, - /sys/devices/system/cpu/** r, - - /etc/tor/* r, - /usr/share/tor/** r, - - /usr/bin/obfsproxy PUx, - /usr/bin/obfs4proxy Pix, - - include if exists \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/system_tor b/apparmor.d/profiles-s-z/system_tor deleted file mode 100644 index dfea51de..00000000 --- a/apparmor.d/profiles-s-z/system_tor +++ /dev/null @@ -1,25 +0,0 @@ -# vim:syntax=apparmor -include - -profile system_tor flags=(attach_disconnected) { - include - include - - owner /var/lib/tor/** rwk, - owner /var/lib/tor/ r, - owner /var/log/tor/* w, - - # During startup, tor (as root) tries to open various things such as - # directories via check_private_dir(). Let it. - /var/lib/tor/** r, - - /{,var/}run/tor/ r, - /{,var/}run/tor/control w, - /{,var/}run/tor/socks w, - /{,var/}run/tor/tor.pid w, - /{,var/}run/tor/control.authcookie w, - /{,var/}run/tor/control.authcookie.tmp rw, - /{,var/}run/systemd/notify w, - - include if exists -} From 8f53366cd8019f8b367c04e44db18d14dc7bd546 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 12:04:24 +0100 Subject: [PATCH 040/165] feat(profiles): allow gnome-shell to send signal to all profiles. --- apparmor.d/abstractions/base.d/complete | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ab5e6ab9..39988d60 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -1,20 +1,21 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/writable/localtime r, /usr/share/locale/ r, # Allow to receive some signals - signal (receive) peer=top, signal (receive) peer=htop, + signal (receive) peer=sudo, + signal (receive) peer=top, + signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,cont) peer=systemd, signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, + signal (receive) set=(term,kill) peer=gnome-shell, signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=su, - signal (receive) peer=sudo, ptrace (readby) peer=systemd-coredump, From a5c9a58c3c2b30dfac5122112bf60e37d1687d47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:15:21 +0100 Subject: [PATCH 041/165] feat(profiles): complete the dbus-session abstactions and related rules. --- .../abstractions/dbus-session-strict.d/complete | 12 ++++++++++++ apparmor.d/groups/apt/unattended-upgrade-shutdown | 1 + apparmor.d/groups/bus/dbus-daemon | 1 - apparmor.d/groups/bus/ibus-extension-gtk3 | 4 ---- apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/freedesktop/at-spi-bus-launcher | 1 - apparmor.d/groups/freedesktop/at-spi2-registryd | 1 - .../groups/freedesktop/xdg-desktop-portal-gtk | 13 ++++++++++++- apparmor.d/groups/gnome/evolution-alarm-notify | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 2 -- apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - .../groups/ubuntu/ubuntu-advantage-notification | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 3 --- 17 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 apparmor.d/abstractions/dbus-session-strict.d/complete diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 00000000..8578e7d2 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + + unix (connect, receive, send, accept) + type=stream + peer=(addr="@/tmp/dbus-*"), + + owner @{run}/user/@{uid}/at-spi/ rw, + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index b6815bd2..85024366 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 4dae8071..13411ae8 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -68,7 +68,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index b1166f43..893c7cf4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -34,11 +34,7 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 159806e3..791e78fa 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -31,7 +31,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 41fbc9ef..de6d51d8 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -34,7 +34,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/{,bus} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/lightdm/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 63fbbd70..8fa2940b 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -23,7 +23,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 27d663d1..fd660d09 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -24,10 +24,22 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member=Changed, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -40,7 +52,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 0a246ada..a1b4dca7 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -24,7 +24,5 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, - owner @{run}/user/@{uid}/at-spi/bus rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 1eab85dc..71431b3a 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -53,8 +53,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 223e6243..0bc91045 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -48,7 +48,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 12ed0972..31280ae7 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -32,7 +32,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index e6c67b24..6f2b77f2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -57,7 +57,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index cd1a4826..bb4ec7d0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -60,7 +60,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 24dd5a3c..3bb701c7 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -29,7 +29,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index d3424c64..5096582a 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include + include include include @@ -19,7 +19,6 @@ profile ubuntu-advantage-notification @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 50344f35..6f9939d0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -13,8 +13,6 @@ profile spice-vdagent @{exec_path} { include include - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - @{exec_path} mr, /etc/machine-id r, @@ -22,7 +20,6 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{run}/spice-vdagentd/spice-vdagent-sock rw, From 0896343bbcf8d29f8037fce82f571ea71003621d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:17:38 +0100 Subject: [PATCH 042/165] feat(profiles): rethink the app launchers. --- apparmor.d/abstractions/app-launcher-root | 13 ++++++++----- apparmor.d/abstractions/app-launcher-user | 13 ++++++++----- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index c5e2f6a2..0d3c8e5f 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -1,13 +1,16 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , # Root app location - / r, - /usr/ r, - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, + / r, + /usr/ r, + /{usr/,}{s,}bin/ r, + /{usr/,}{s,}bin/[a-z0-9]* rPUx, + /usr/local/{s,}bin/ r, + /usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index a1f16248..7bf9094c 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -1,14 +1,17 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , # User app location - / r, - /usr/ r, - /{usr/,}bin/ r, - /{usr/,}bin/[a-zA-Z0-9]* rPUx, + / r, + /usr/ r, + /{usr/,}bin/ r, + /{usr/,}bin/[a-zA-Z0-9]* rPUx, + /usr/local/bin/ r, + /usr/local/bin/[a-zA-Z0-9]* rPUx, # Firefox /{usr/,}lib/ r, From 9493e783ce2d5b4b5cd75e56aaadab6d12a89330 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:19:13 +0100 Subject: [PATCH 043/165] feat(profiles): rethink the su & sudo profiles. --- apparmor.d/profiles-s-z/su | 35 +++++++++++++++------------ apparmor.d/profiles-s-z/sudo | 47 +++++++++++++++--------------------- 2 files changed, 39 insertions(+), 43 deletions(-) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index b7ea89fc..114f2f13 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/su profile su @{exec_path} { include + include include include include @@ -17,42 +19,45 @@ profile su @{exec_path} { # include capability audit_write, + capability chown, # pseudo-terminal + capability dac_read_search, capability setgid, capability setuid, - capability dac_read_search, capability sys_resource, + # No clear purpose, deny until needed - deny capability net_admin, - #audit deny capability net_bind_service, + audit deny capability net_admin, + audit deny capability net_bind_service, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), signal (receive) set=(cont,hup) peer=sudo, - # unknown, needs to be cleared up; TODO + unix (bind) type=dgram, + network netlink raw, + dbus (send) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession}, + @{exec_path} mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, - - # Fake shells to politely refuse a login - #/{usr/,}{s,}bin/nologin rpux, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}{s,}bin/nologin rPx, /etc/default/locale r, /etc/environment r, /etc/security/limits.d/ r, /etc/shells r, - @{PROC}/1/limits r, owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - - # For pam_securetty - @{PROC}/cmdline r, + @{PROC}/1/limits r, + @{PROC}/cmdline r, + @{sys}/devices/virtual/tty/console/active r, /dev/{,pts/}ptmx rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index a72ee364..94697309 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only @@ -7,11 +7,10 @@ abi , include -@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin - @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include + include include include include @@ -30,57 +29,49 @@ profile sudo @{exec_path} { capability sys_resource, network netlink raw, # PAM - # DNS query? -# network inet dgram, -# network inet6 dgram, ptrace (read), - signal, + + # signal, signal (send) set=(cont,hup) peer=su, @{exec_path} mr, - @{libexec}/sudo/** mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, - - @{PATH}/[a-z0-9]* rPUx, - /{usr/,}lib/cockpit/cockpit-askpass rPUx, - /{usr/,}lib/molly-guard/molly-guard rPx, + @{libexec}/sudo/** mr, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}lib/cockpit/cockpit-askpass rPx, + /{usr/,}lib/molly-guard/molly-guard rPx, + /etc/default/locale r, /etc/environment r, /etc/machine-id r, /etc/security/limits.d/{,*} r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, - /etc/default/locale r, - /var/log/sudo.log wk, + /var/log/sudo.log wk, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + owner @{HOME}/.xsession-errors w, # For timestampdir owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, + @{run}/resolvconf/resolv.conf r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, + @{PROC}/sys/kernel/seccomp/actions_avail r, - # File Inherit owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/resolvconf/resolv.conf r, - - /dev/ r, # interactive login - /dev/ptmx rw, + /dev/ r, # interactive login + /dev/ptmx rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 779853dc7f0158ecca917627c0278f3f12117271 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:51:37 +0100 Subject: [PATCH 044/165] feat(profiles): new definition for MOUNTs, add MOUNTDIRS. --- apparmor.d/abstractions/user-download-strict | 4 +- apparmor.d/abstractions/user-write.d/complete | 14 ++--- apparmor.d/groups/apps/android-studio | 4 +- apparmor.d/groups/apps/atom | 6 +-- apparmor.d/groups/apps/calibre | 6 +-- apparmor.d/groups/apps/code | 5 +- apparmor.d/groups/apps/filezilla | 4 +- apparmor.d/groups/apt/apt-cdrom | 10 ++-- apparmor.d/groups/gpg/dirmngr | 10 ++-- apparmor.d/groups/gpg/gpg | 2 +- apparmor.d/groups/gpg/gpg-agent | 12 ++--- apparmor.d/groups/gvfs/gvfsd-archive | 2 +- apparmor.d/groups/gvfs/gvfsd-mtp | 2 +- apparmor.d/groups/gvfs/gvfsd-recent | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/blkid | 4 +- apparmor.d/profiles-a-f/borg | 6 +-- apparmor.d/profiles-a-f/btrfs | 10 ++-- apparmor.d/profiles-a-f/btrfs-find-root | 4 +- apparmor.d/profiles-a-f/btrfs-image | 4 +- apparmor.d/profiles-a-f/btrfs-map-logical | 4 +- apparmor.d/profiles-a-f/cfdisk | 6 +-- apparmor.d/profiles-a-f/cgdisk | 6 +-- apparmor.d/profiles-a-f/dumpe2fs | 4 +- apparmor.d/profiles-a-f/e2fsck | 4 +- apparmor.d/profiles-a-f/e2image | 4 +- apparmor.d/profiles-a-f/f3read | 8 +-- apparmor.d/profiles-a-f/f3write | 8 +-- apparmor.d/profiles-a-f/fdisk | 6 +-- apparmor.d/profiles-a-f/fsck | 2 +- apparmor.d/profiles-a-f/fsck-fat | 4 +- apparmor.d/profiles-a-f/fuseiso | 8 +-- apparmor.d/profiles-g-l/gdisk | 6 +-- apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/hdparm | 4 +- apparmor.d/profiles-g-l/keepassxc-proxy | 2 +- apparmor.d/profiles-m-r/megasync | 9 +--- apparmor.d/profiles-m-r/mke2fs | 4 +- apparmor.d/profiles-m-r/mkfs-btrfs | 4 +- apparmor.d/profiles-m-r/mkfs-fat | 4 +- apparmor.d/profiles-m-r/mount | 4 +- apparmor.d/profiles-m-r/mount-cifs | 13 +++-- apparmor.d/profiles-m-r/mount-nfs | 13 +++-- apparmor.d/profiles-m-r/mtools | 4 +- apparmor.d/profiles-m-r/ntfs-3g | 51 +++++++++---------- apparmor.d/profiles-m-r/ntfsclone | 2 +- apparmor.d/profiles-m-r/obex-folder-listing | 4 +- apparmor.d/profiles-m-r/parted | 4 +- apparmor.d/profiles-m-r/qbittorrent | 10 ++-- apparmor.d/profiles-m-r/qnapi | 9 ++-- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/resize2fs | 4 +- apparmor.d/profiles-s-z/s3fs | 10 ++-- apparmor.d/profiles-s-z/sfdisk | 4 +- apparmor.d/profiles-s-z/sgdisk | 6 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/strawberry-tagreader | 2 +- apparmor.d/profiles-s-z/tune2fs | 4 +- apparmor.d/profiles-s-z/udisksd | 20 ++++---- apparmor.d/profiles-s-z/virt-manager | 7 ++- apparmor.d/tunables/extend | 10 +++- 62 files changed, 198 insertions(+), 203 deletions(-) diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index e6dc6e8f..935bbbb0 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -7,8 +7,8 @@ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl, + owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r, + owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 0ffe6622..6775f9dc 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -9,10 +9,10 @@ owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl, - owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index f4c7913d..ca89ccec 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -6,8 +6,8 @@ abi , include -@{AS_LIBDIR} = @{MOUNTS}/*/android-studio -@{AS_SDKDIR} = @{MOUNTS}/*/SDK +@{AS_LIBDIR} = @{MOUNTS}/android-studio +@{AS_SDKDIR} = @{MOUNTS}/SDK @{AS_HOMEDIR} = @{HOME}/.AndroidStudio* @{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 65d29290..a8933715 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -87,9 +87,9 @@ profile atom @{exec_path} { # Git dirs / r, @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/atom/ r, - owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, owner @{user_config_dirs}/git/config r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index daf63e0a..f4082f1e 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -78,9 +78,9 @@ profile calibre @{exec_path} { owner @{HOME}/@{XDG_BOOKS_DIR} rw, owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw, + owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index 0ece93b0..f941d070 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -66,9 +66,8 @@ profile code @{exec_path} { # Git dirs / r, @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/code/ r, - owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, + owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, /etc/fstab r, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 85ea3cf7..ac97ac6e 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -56,8 +56,8 @@ profile filezilla @{exec_path} { /{usr/,}lib/firefox/firefox rPUx, # FTP share folder - owner @{MOUNTS}/*/ftp/ r, - owner @{MOUNTS}/*/ftp/** rw, + owner @{MOUNTS}/ftp/ r, + owner @{MOUNTS}/ftp/** rw, # Silencer / r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index dd703329..3dcdf22d 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/**/ r, - @{MOUNTS}/*/*/.disk/info r, - @{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/*/ r, + @{MOUNTS}/*/**/ r, + @{MOUNTS}/*/.disk/info r, + @{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 95e9296b..bd53411b 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -29,11 +29,11 @@ profile dirmngr @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40bfaea5..9955daf5 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -77,7 +77,7 @@ profile gpg @{exec_path} { # Verify files owner @{HOME}/** r, - owner @{MOUNTS}/*/** r, + owner @{MOUNTS}/** r, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 38ba5378..00c33346 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -29,12 +29,12 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index ed9b3aa2..6694eafb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -20,7 +20,7 @@ profile gvfsd-archive @{exec_path} { owner @{HOME}/**.{tar,tar.gz,zip} r, owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 2e83b079..2d09516a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -24,7 +24,7 @@ profile gvfsd-mtp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 072e6be0..35d08324 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -19,7 +19,7 @@ profile gvfsd-recent @{exec_path} { # Full access to user's data owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 906aff69..7b2913f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} { # Can restore all user files owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index f1c2ddce..d8f9b79b 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -19,7 +19,7 @@ profile badblocks @{exec_path} { # A place for a list of already existing known bad blocks @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 3d834202..1d3735e8 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -31,9 +31,9 @@ profile blkid @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 304d97c0..1bd177a7 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -35,10 +35,10 @@ profile borg @{exec_path} { /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/fusermount{,3} rCx -> fusermount, + mount fstype=fuse -> @{MOUNTS}/, mount fstype=fuse -> @{MOUNTS}/*/, - mount fstype=fuse -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, /dev/fuse rw, @@ -114,8 +114,8 @@ profile borg @{exec_path} { /etc/fuse.conf r, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index b691e0d2..bff4395c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -33,18 +33,18 @@ profile btrfs @{exec_path} { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, # Saved metadata + @{MOUNTS}/ r, + @{MOUNTS}/ext2_saved/ rw, + @{MOUNTS}/ext2_saved/image rw, @{MOUNTS}/*/ r, @{MOUNTS}/*/ext2_saved/ rw, @{MOUNTS}/*/ext2_saved/image rw, - @{MOUNTS}/*/*/ r, - @{MOUNTS}/*/*/ext2_saved/ rw, - @{MOUNTS}/*/*/ext2_saved/image rw, # To be able to manage btrfs volumes owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, /dev/btrfs-control rw, diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 6135885c..5eb562f7 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 50061b82..3aecf3be 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} { # Image files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index 344f4d02..81d28128 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 45aeb0b7..deb4be1a 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -25,13 +25,13 @@ profile cfdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 231de791..a94b85bd 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -17,13 +17,13 @@ profile cgdisk @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # A place for backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 35f922c7..8e7ee6bc 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -19,9 +19,9 @@ profile dumpe2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 14c1e26f..e7c2cfb5 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -28,9 +28,9 @@ profile e2fsck @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b61bf1fd..7cd9ebe2 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -19,9 +19,9 @@ profile e2image @{exec_path} { # A place for the metadata image file owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 044ba498..9ff0d7ad 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -13,14 +13,14 @@ profile f3read @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to read h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w r, + owner @{MOUNTS}/[0-9]*.h2w r, owner @{MOUNTS}/*/[0-9]*.h2w r, - owner @{MOUNTS}/*/*/[0-9]*.h2w r, - owner /mnt/[0-9]*.h2w r, include if exists } diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index d053e929..14145347 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -17,14 +17,14 @@ profile f3write @{exec_path} { @{exec_path} mr, # USB drive mount locations + @{MOUNTDIRS} r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - /mnt/ r, # To be able to write h2w files + owner @{MOUNTDIRS}/[0-9]*.h2w w, + owner @{MOUNTS}/[0-9]*.h2w w, owner @{MOUNTS}/*/[0-9]*.h2w w, - owner @{MOUNTS}/*/*/[0-9]*.h2w w, - owner /mnt/[0-9]*.h2w w, include if exists } diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 5f023da4..5c0f9769 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -27,13 +27,13 @@ profile fdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index fc56b1c7..7d5adbfa 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -24,7 +24,7 @@ profile fsck @{exec_path} { /etc/fstab r, # When a mount dir is passed to fsck as an argument. - @{MOUNTS}/*/ r, + @{MOUNTS}/ r, /boot/ r, /home/ r, diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index 993475b6..d17e06e2 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 6b658ee1..3dccb5c7 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -27,9 +27,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{HOME}/.mtab.fuseiso rwk, owner @{HOME}/.mtab.fuseiso.new rw, @@ -60,9 +60,9 @@ profile fuseiso @{exec_path} { # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} r, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, } diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 66354c43..2b501e69 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -24,13 +24,13 @@ profile gdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 42e6f0ca..7cd08c62 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -153,8 +153,8 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, + mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @@ -176,8 +176,8 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, umount /boot/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index b3ba2f2a..7c0748a3 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -30,9 +30,9 @@ profile hdparm @{exec_path} flags=(complain) { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index ae24a13c..008f9569 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -29,7 +29,7 @@ profile keepassxc-proxy @{exec_path} { # deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, - deny owner @{MOUNTS}/*/.mozilla/** rw, + deny owner @{MOUNTS}/.mozilla/** rw, deny owner /tmp/firefox*/.parentlock rw, deny owner /tmp/tmp-*.xpi rw, deny owner /tmp/tmpaddon r, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 96e479d6..1513de37 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -6,8 +6,6 @@ abi , include -@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage - @{exec_path} = /{usr/,}bin/megasync profile megasync @{exec_path} { include @@ -55,11 +53,8 @@ profile megasync @{exec_path} { owner @{user_config_dirs}/QtProject.conf r, # Sync folder - #/ r, - #@{MOUNTS}/ r, - #@{MOUNTS}/*/ r, - owner @{SYNC_FOLDER}/ r, - owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**, + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, # Proc filesystem deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index e691740e..c25377a3 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -30,9 +30,9 @@ profile mke2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 9613134a..191bb035 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index 8e946c9e..441dc271 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index fe13d31a..f732aa98 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -45,9 +45,9 @@ profile mount @{exec_path} flags=(complain) { # Mount iso/img files owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # The special /dev/loop-control file can be used to create and destroy loop devices or to find # the first available loop device. diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 80c23b8d..3724dd4b 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -30,19 +30,18 @@ profile mount-cifs @{exec_path} flags=(complain) { owner @{HOME}/.smbcredentials r, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, mount fstype=cifs -> @{MOUNTS}/*/, - mount fstype=cifs -> @{MOUNTS}/*/*/, - mount fstype=cifs -> /mnt/, - mount fstype=cifs -> /mnt/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 69c86061..1983e1bf 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -45,21 +45,20 @@ profile mount-nfs @{exec_path} flags=(complain) { owner @{run}/rpc.statd.lock wk, # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=nfs -> @{MOUNTDIRS}/, + mount fstype=nfs -> @{MOUNTS}/, mount fstype=nfs -> @{MOUNTS}/*/, - mount fstype=nfs -> @{MOUNTS}/*/*/, - mount fstype=nfs -> /mnt/, - mount fstype=nfs -> /mnt/*/, mount fstype=nfs -> /, mount fstype=nfs -> /*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - umount /mnt/, - umount /mnt/*/, umount /, umount /*/, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index f68fa31f..5f7b20c9 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -25,9 +25,9 @@ profile mtools @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index faf590df..94014b46 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} { @{exec_path} mr, - @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pid}/mounts r, + /{usr/,}bin/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + + # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + + # Allow to mount encrypted partition + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, + mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, - # Mount points - @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, - - # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, - - # Allow to mount encrypted partition - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/, - mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/, - - umount @{MOUNTS}/*/, - umount /mnt/*/, - - # kmod is used to load the fuse kernel module - /{usr/,}bin/kmod rPx, - include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index cf4c5edd..713cbbe0 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} { # A place for backups @{HOME}/* rwk, - @{MOUNTS}/*/** rwk, + @{MOUNTS}/** rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index 3bc0b3ac..8e134416 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} { owner @{HOME}/ r, owner @{HOME}/**/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/**/ r, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/**/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 40209d49..eeb46bdf 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -70,9 +70,9 @@ profile parted @{exec_path} { # file_inherit include # lots of files in this abstraction get inherited owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, } diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 96560c7c..2eab25a4 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -7,7 +7,7 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent +@{TORRENT_DIR} = @{MOUNTS}/torrent @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { @@ -241,9 +241,9 @@ profile qbittorrent @{exec_path} { owner @{run}/user/@{uid}/ r, # file_inherit - owner @{MOUNTS}/*/torrent/** r, - owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw, - owner "@{MOUNTS}/*/torrent/**.!qB" rw, + owner @{MOUNTS}/torrent/** r, + owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw, + owner "@{MOUNTS}/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, @@ -291,7 +291,7 @@ profile qbittorrent @{exec_path} { owner /tmp/tmp* rw, # file_inherit - owner @{MOUNTS}/*/torrent/** r, + owner @{MOUNTS}/torrent/** r, deny /dev/dri/card[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index e143633a..4bb66130 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -74,11 +74,10 @@ profile qnapi @{exec_path} { # Movie dirs @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/** r, - owner @{MOUNTS}/*/**#[0-9]*[0-9] rw, - owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r, - owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9], + owner @{MOUNTS}/** r, + owner @{MOUNTS}/**#[0-9]*[0-9] rw, + owner @{MOUNTS}/**.@{qnapi_vid_ext} r, + owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9], owner @{HOME}/ r, owner @{user_config_dirs}/qnapi.ini rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index c8a3bcaa..34323ba8 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -34,7 +34,7 @@ profile qtox @{exec_path} { # For importing old profile owner @{HOME}/**.tox r, - owner @{MOUNTS}/*/**.tox r, + owner @{MOUNTS}/**.tox r, owner @{HOME}/ r, owner @{user_cache_dirs}/qTox/ rw, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 376a23a4..c33b3cd1 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -24,9 +24,9 @@ profile resize2fs @{exec_path} { # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index fbd72393..81d787ed 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -19,8 +19,8 @@ profile s3fs @{exec_path} { network inet6 stream, network netlink raw, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, @{exec_path} mr, @@ -31,8 +31,8 @@ profile s3fs @{exec_path} { owner @{HOME}/.passwd-s3fs r, + owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner @{MOUNTS}/*/*/ r, owner /tmp/* rw, /dev/fuse rw, @@ -50,14 +50,14 @@ profile s3fs @{exec_path} { /etc/fuse.conf r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, + mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/, + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, owner /tmp/s3fstmp.* rw, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 60224b6c..75622a31 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -24,9 +24,9 @@ profile sfdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index f9241e8b..d844317f 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -24,13 +24,13 @@ profile sgdisk @{exec_path} { # For disk images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, - owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk, + owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, # For backups owner @{HOME}/**.{bak,back} rwk, - owner @{MOUNTS}/*/**.{bak,back} rwk, + owner @{MOUNTS}/**.{bak,back} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 78d88b51..7c223bed 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,7 +6,7 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ +@{MEDIA_LIB} = @{MOUNTS}/mp3/ @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 7e462e94..45a13c29 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,7 +6,7 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/*/mp3/ +@{MEDIA_LIB} = @{MOUNTS}/mp3/ @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 50f7f5de..120be844 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -29,9 +29,9 @@ profile tune2fs @{exec_path} { # Image files @{HOME}/**.{iso,img,bin,mdf,nrg} rw, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rw, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index d2019666..74304f9a 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -35,7 +35,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={ReleaseName,GetConnectionUnixUser}, + member={ReleaseName,GetConnectionUnixUser,RequestName}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager @@ -71,26 +71,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/systemd-escape rPx, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow unmounting + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, umount /media/cdrom[0-9]/, # Be able to create/delete dirs for removable media + @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - @{MOUNTS}/*/*/ rw, /media/cdrom[0-9]/ rw, # Udisks2 config files diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index b2c1583c..416a527c 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -73,11 +73,10 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # For disk images @{MOUNTS}/ r, - @{MOUNTS}/*/ r, @{HOME}/**.{iso,img,bin,mdf,nrg} r, - @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r, + @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r, @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r, - @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r, + @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r, # System VM images /var/lib/libvirt/images/{,**} rw, @@ -86,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, + owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 4c6f55e1..7dd32b0e 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -9,8 +9,14 @@ # Universally unique identifier @{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* -# Common mountpoints -@{MOUNTS}=/media/ @{run}/media /mnt + +# @{MOUNTDIRS} is a space-separated list of where user mount directories +# are stored, for programs that must enumerate all mount directories on a +# system. +@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/ + +# @{MOUNTS} is a space-separated list of all user mounted directories. +@{MOUNTS}=@{MOUNTDIRS}/*/ # Libexec path. Different in some distribution @{libexec}=/{usr/,}lib # Archlinux From 24056c8cd1f179b58d70f8cdbf29f2414faf7097 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:56:27 +0100 Subject: [PATCH 045/165] feat(profiles): ensure bin, sbin compatibility for (u)mount. --- apparmor.d/profiles-m-r/mount | 2 +- apparmor.d/profiles-m-r/mount-cifs | 5 +++-- apparmor.d/profiles-m-r/mount-nfs | 13 +++++++------ apparmor.d/profiles-s-z/spectre-meltdown-checker | 2 +- apparmor.d/profiles-s-z/umount | 6 +++--- 5 files changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index f732aa98..de172000 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mount +@{exec_path} = /{usr/,}{s,}bin/mount profile mount @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 3724dd4b..1ee7662b 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.cifs +@{exec_path} = /{usr/,}{s,}bin/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 1983e1bf..1e9a6fbf 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.nfs +@{exec_path} = /{usr/,}{s,}bin/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -26,11 +27,11 @@ profile mount-nfs @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/start-statd rix, - /{usr/,}bin/flock rix, + /{usr/,}{s,}bin/start-statd rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/flock rix, - /usr/bin/systemctl rPx -> child-systemctl, + /usr/bin/systemctl rPx -> child-systemctl, /etc/fstab r, /etc/netconfig r, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5ff0cce5..b2fdf5df 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -57,7 +57,7 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}{s,}bin/iucode_tool rix, /{usr/,}bin/dmesg rix, - /{usr/,}bin/mount rix, + /{usr/,}{s,}bin/mount rix, /{usr/,}bin/find rix, /{usr/,}bin/xargs rix, /{usr/,}bin/readlink rix, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 109a4eb4..89c238b5 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/umount +@{exec_path} = /{usr/,}{s,}bin/umount profile umount @{exec_path} flags=(complain) { include include @@ -26,8 +26,8 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}sbin/umount.* rPx, - /{usr/,}sbin/mount.* rPx, + /{usr/,}{s,}bin/umount.* rPx, + /{usr/,}{s,}bin/mount.* rPx, # Mount points @{HOME}/ r, From 50a18aac08f6b72a58debef00f2cccfeb3e85a40 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 23:50:58 +0100 Subject: [PATCH 046/165] feat(profiles): add some core dbus rules. --- apparmor.d/groups/freedesktop/accounts-daemon | 7 ++- apparmor.d/groups/freedesktop/colord-sane | 7 ++- apparmor.d/groups/freedesktop/geoclue | 44 +++++++++++++- apparmor.d/groups/freedesktop/pipewire | 12 ++++ .../groups/freedesktop/polkit-agent-helper | 8 +++ apparmor.d/groups/freedesktop/polkitd | 31 ++++------ apparmor.d/groups/freedesktop/upowerd | 9 +++ .../groups/freedesktop/xdg-desktop-portal | 2 +- .../freedesktop/xdg-desktop-portal-gnome | 4 ++ .../groups/gnome/evolution-calendar-factory | 8 ++- apparmor.d/groups/gnome/gdm | 7 ++- apparmor.d/groups/gnome/gdm-session-worker | 12 +--- apparmor.d/groups/gnome/gnome-control-center | 51 ++++++++++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 9 +++ apparmor.d/groups/gnome/gnome-session-binary | 6 +- apparmor.d/groups/gnome/gnome-shell | 58 ++++++++++--------- apparmor.d/groups/gnome/goa-daemon | 8 ++- apparmor.d/groups/gnome/gsd-color | 2 +- .../groups/gnome/gsd-disk-utility-notify | 7 +-- apparmor.d/groups/gnome/gsd-keyboard | 4 ++ apparmor.d/groups/gnome/gsd-media-keys | 8 +++ apparmor.d/groups/gnome/gsd-power | 8 +++ apparmor.d/groups/gnome/gsd-printer | 2 +- apparmor.d/groups/gnome/gsd-sharing | 20 ++++++- apparmor.d/groups/gnome/gsd-xsettings | 5 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/network/ModemManager | 30 ++++++++++ apparmor.d/groups/network/NetworkManager | 17 ++++-- apparmor.d/groups/ssh/sshd | 5 ++ apparmor.d/groups/systemd/networkctl | 5 ++ apparmor.d/groups/systemd/systemd-localed | 3 +- apparmor.d/groups/systemd/systemd-logind | 24 ++++---- apparmor.d/groups/ubuntu/packagekitd | 6 +- apparmor.d/profiles-m-r/rtkit-daemon | 14 ++--- apparmor.d/profiles-s-z/wpa-supplicant | 4 ++ 36 files changed, 343 insertions(+), 108 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 04be8d6f..77416964 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -33,12 +33,17 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User - member={Changed,SetLanguage}, + member={Changed,SetLanguage,SetInputSources}, dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers}, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 9223002a..465b88a1 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -17,11 +17,12 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager, + interface=org.freedesktop.{DBus.Properties,ColorManager}, dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew}, + interface=org.freedesktop.{DBus.Peer,Avahi.Server} + member={GetAPIVersion,GetState,ServiceBrowserNew,Ping} + peer=(name=org.freedesktop.Avahi), dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index af5198d5..dd4bc64f 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -7,15 +7,57 @@ abi , include @{exec_path} = @{libexec}/geoclue -profile geoclue @{exec_path} { +profile geoclue @{exec_path} flags=(attach_disconnected) { include + include network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2*}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={AllForNow,CacheExhausted}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus bind bus=system + name=org.freedesktop.GeoClue2, + @{exec_path} mr, /etc/geoclue/{,**} r, + @{run}/systemd/journal/socket rw, + @{PROC}/@{pids}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 76220f9f..09d3cb55 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -17,8 +17,20 @@ profile pipewire @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit[0-9]), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit[0-9]), + @{exec_path} mr, + /{usr/,}bin/pipewire-media-session rPx, + /usr/share/pipewire/pipewire.conf r, /etc/machine-id r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e04c0259..16547bd4 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -29,6 +29,14 @@ profile polkit-agent-helper @{exec_path} { signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=AuthenticationAgentResponse2, + @{exec_path} mr, # file_inherit diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 323ac40f..5847fcff 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,35 +22,18 @@ profile polkitd @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={Changed,BeginAuthentication}, - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization}, - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus bind bus=system name=org.freedesktop.PolicyKit[0-9], @{exec_path} mr, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - /etc/machine-id r, # System rules @@ -74,6 +57,14 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + # Silencer deny /.cache/ rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d977b692..b2ac5d65 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -27,6 +27,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=SessionNew, + dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index f83f6ea0..fd3deefa 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -35,7 +35,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=StateChanged, + member={StateChanged,CheckPermissions}, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 3b1e4a55..611f2e2b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -23,6 +23,10 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member=Changed, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 7576ba23..ef99ad71 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -23,9 +23,13 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 1358ba23..776e10df 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -27,7 +27,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User + interface=org.freedesktop.{DBus.Properties,Accounts.User} member={Changed,GetAll,PropertiesChanged}, dbus send bus=system path=/org/freedesktop/Accounts @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser}, + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] interface=org.freedesktop.DBus.Properties @@ -50,6 +50,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + dbus bind bus=system + name=org.gnome.DisplayManager, + @{exec_path} mr, /{usr/,}{s,}prime-switch rPx, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a3bf855e..e4120665 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,22 +41,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} - interface={org.freedesktop.DBus.Properties,org.freedesktop.Accounts} + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=CreateSession, - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.Accounts.User - member=Changed, - @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2b498d8b..a97fdf76 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,6 +10,9 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include include @@ -32,6 +35,54 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, + dbus send bus=system path=/org/freedesktop{,ModemManager[0-9],UDisks2} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDevices, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=ListCachedUsers, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, /{usr/,}bin/bash rUx, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 71431b3a..fb129e7f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -26,7 +26,7 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspec, + member=Introspect, dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 3f499354..14ba09f8 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,6 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=GetSession + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/ssh-add rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 40a7fce9..50ae01f2 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -30,7 +30,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={CanPowerOff,GetSession}, + member={CanPowerOff,GetSession,PowerOff,Inhibit}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties @@ -44,6 +44,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved}, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 70e85dbf..b0808666 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -43,36 +45,39 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), - dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* - interface=org.freedesktop.login[0-9].Session - member={ReleaseDevice,TakeControl,TakeDevice,PauseDevice}, + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,login[0-9].*}, dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={CheckAuthorization,RegisterAuthenticationAgent,Changed}, + interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority} + member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll}, - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterSession - peer=(name=org.gnome.DisplayManager), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} + member={GetAll,FindUserByName,Changed,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} + member={PropertiesChanged,AddAgent,GetAll}, dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CanSuspend,CanRebootToBootLoaderMenu,GetSession,Inhibit}, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.{DBus.Properties,DisplayManager.Manager} + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel} + peer=(name=org.gnome.DisplayManager), - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} interface=org.freedesktop.DBus.Properties member=GetAll, @@ -80,16 +85,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=net.reactivated.Fprint.Manager member=GetDefaultDevice, + dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} + interface=org.freedesktop.NetworkManager{,.AgentManager} + member={Unregister,RegisterWithCapabilities,GetPermissions}, + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus receive bus=system path=/org/freedesktop/NetworkManager/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]* interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties member=PropertiesChanged, @{exec_path} mr, @@ -150,9 +159,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/.goutputstream{,*} rw, - owner @{user_config_dirs}/ibus/ rw, - owner @{user_config_dirs}/ibus/bus/ rw, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_share_dirs}/backgrounds/{,**} rw, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 6236a78c..2fb705b0 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,9 +25,13 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0bc91045..18f0eec6 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,7 +18,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=system path=/org/freedesktop/ColorManager/devices/xrandr_* + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index b2638249..28175182 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,14 +12,13 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.{Properties,ObjectManager}, + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus receive bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 31280ae7..a278f2b3 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -18,6 +18,10 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6f2b77f2..23ae3898 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -37,6 +37,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index bb4ec7d0..6a09314b 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -24,6 +24,10 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,UPower*}, + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, @@ -48,6 +52,10 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 6f8d0db3..c4614b70 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -17,7 +17,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=ReleaseName, + member={ReleaseName,RequestName}, dbus bind bus=system name=com.redhat.NewPrinterNotification, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9ccb637f..2268b138 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,11 +15,27 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, hup) peer=gdm*, - - dbus receive bus=system path=/org/freedesktop/NetworkManager + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9] + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 16aeb9ab..2192ebae 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -30,6 +30,10 @@ profile gsd-xsettings @{exec_path} { interface=org.freedesktop.Accounts.User member={SetInputSources,Changed,GetAll}, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=FindUserByName, @@ -59,7 +63,6 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index fe296d94..397e03ea 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -18,7 +18,7 @@ profile tracker-miner @{exec_path} { include include - dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 7ff48ff5..795061b9 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,6 +14,34 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={UserNew,SessionNew}, + + dbus bind bus=system + name=org.freedesktop.ModemManager[0-9], + @{exec_path} mr, @{run}/udev/data/+pci:* r, @@ -22,6 +50,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n[0-9]* r, + @{run}/systemd/inhibit/*.ref rw, + @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/net/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6dd5d195..3d4cc758 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -40,7 +40,15 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority - member={Changed,CheckAuthorization}, + member={Changed,CheckAuthorization,CancelCheckAuthorization}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}, dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager @@ -57,7 +65,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/resolve[0-9] interface=org.freedesktop.resolve[0-9].Manager - member=SetLink*, + member={SetLink*,ResolveHostname}, + # org.freedesktop.resolve1 dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties @@ -71,10 +80,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit}, - dbus bind bus=system name=org.freedesktop.NetworkManager, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a1937b01..fb036f2e 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -50,6 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mrix, /{usr/,}{s,}bin/nologin rPx, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 378c89c1..698fd2f3 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,6 +24,11 @@ profile networkctl @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/network[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.network[0-9]), + @{exec_path} mr, /{usr/,}bin/pager rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 2ebf2685..c2a6be9e 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -19,7 +19,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=ReleaseName, + member={ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop/locale[0-9] interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 3224e803..cebfc7c3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,14 +27,14 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/job/** + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** interface=org.freedesktop.DBus.Properties member={Get,PropertiesChanged}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/unit/** - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,Get}, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, @@ -47,10 +47,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.systemd[0-9].Scope member=Abandon, - dbus receive bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.systemd[0-9].Manager - member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading}, - dbus receive bus=system path=/org/freedesktop/systemd[0-9] interface=org.freedesktop.DBus.Properties member=PropertiesChanged, @@ -68,8 +64,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /var/lib/systemd/linger/ r, + @{run}/.#nologin* rw, @{run}/host/container-manager r, - + @{run}/nologin rw, @{run}/utmp rk, @{run}/udev/tags/master-of-seat/ r, @@ -96,18 +93,19 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/sessions/{,*} rw, @{run}/systemd/sessions/*.ref rw, + @{run}/systemd/shutdown/.#scheduled* rw, + @{run}/systemd/shutdown/scheduled rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, - @{sys}/class/drm/ r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index dfe1983b..c0dc9ffc 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -38,12 +38,16 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions, + member={CheckPermissions,StateChanged}, dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=SessionNew, + dbus bind bus=system name=org.freedesktop.PackageKit, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index f6ab963e..82302316 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,17 +21,17 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9], + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] interface=org.freedesktop.DBus.Properties member={Get,GetAll}, - dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] - interface=org.freedesktop.RealtimeKit[0-9] - member=MakeThreadRealtimeWithPID, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=GetConnectionUnixUser, + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index eb79c593..93e75bf2 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -29,6 +29,10 @@ profile wpa-supplicant @{exec_path} { interface=org.freedesktop.DBus member=RequestName, + dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + dbus bind bus=system name=fi.w1.wpa_supplicant[0-9], From 6898bac12f4efa3eff8d048cacdf1e5498ab4f13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 21:38:14 +0100 Subject: [PATCH 047/165] feat(profiles): add some missing dbus, MOUNTS and dconf rules. --- apparmor.d/groups/apps/telegram-desktop | 5 +---- apparmor.d/groups/apt/apt-cdrom | 10 +++++----- apparmor.d/groups/bus/ibus-x11 | 5 +---- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/gnome/gdm-x-session | 2 ++ .../groups/gnome/gnome-control-center-print-renderer | 2 ++ apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 2 +- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/profiles-g-l/light-locker | 5 +---- 14 files changed, 20 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 943b9811..00fa0bcd 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -12,6 +12,7 @@ include profile telegram-desktop @{exec_path} { include include + include include include include @@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Needed when saving files as, or otherwise the app crashes /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 3dcdf22d..90e96c33 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/ r, - @{MOUNTS}/*/**/ r, - @{MOUNTS}/*/.disk/info r, - @{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/ r, + @{MOUNTS}/**/ r, + @{MOUNTS}/.disk/info r, + @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 791e78fa..ee1c9726 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -22,16 +23,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index fd3deefa..3741b43b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 5992fe6f..7fafce5a 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gdm-x-session profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index b109d9c4..ee7cddc9 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include include include @@ -34,6 +35,7 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index e034e54a..853c4a1c 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -21,7 +21,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2fe0625a..3fbaa6b4 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -39,7 +39,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index c58fc245..b2e371b9 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -16,7 +16,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 6769ca2f..94abd03f 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{MOUNTS}/*/ r, owner @{MOUNTS}/**/ r, owner @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 1053f8bd..47b27808 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,8 @@ include @{exec_path} = /{usr/,}bin/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include + include + include include include @@ -35,8 +36,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 2deea030..24b5d340 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -40,7 +40,7 @@ profile tracker-extract @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 397e03ea..8191ba33 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -44,7 +44,7 @@ profile tracker-miner @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{user_config_dirs}/tracker3/{,**} rwk, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 85c9dbd5..b5f78f2c 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/light-locker profile light-locker @{exec_path} { include + include include include include @@ -27,10 +28,6 @@ profile light-locker @{exec_path} { # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, @{sys}/devices/pci[0-9]*/**/device r, From 7b0ef88358ef89a9827fa37452edb088e1b4e418 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 21:41:48 +0100 Subject: [PATCH 048/165] feat(profiles): add some missing dbus rules. --- apparmor.d/groups/apt/apt | 15 +++++++++++++++ apparmor.d/groups/apt/unattended-upgrade | 12 ++++++++++++ .../groups/apt/unattended-upgrade-shutdown | 16 ++++++++++++++++ apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++++++-- apparmor.d/groups/gnome/gsd-media-keys | 4 ++++ apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/systemd/systemd-oomd | 8 ++++++++ apparmor.d/groups/systemd/systemd-resolved | 11 +++++++++++ apparmor.d/groups/ubuntu/packagekitd | 2 +- 10 files changed, 79 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7e0c09b6..3301e999 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -29,6 +29,21 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 4a978427..8f851253 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -27,6 +27,18 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 85024366..0e9f43b9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -14,6 +14,22 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.{Introspectable,Properties} + member={Introspect,Get}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PrepareForShutdown, + @{exec_path} mr, /{usr/,}bin/ischroot rix, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index b2ac5d65..4e25042e 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=SessionNew, + member={SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b0808666..3a5e8228 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,7 +56,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,Changed,PropertiesChanged}, - dbus (send,receive) bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, @@ -72,8 +72,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=GetConnectionUnixUser, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.{DBus.Properties,DisplayManager.Manager} + interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} member={RegisterSession,Get,GetAll,OpenReauthenticationChannel} peer=(name=org.gnome.DisplayManager), diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 23ae3898..1af3f985 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -41,6 +41,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PowerOff, + dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={SessionNew,SessionRemoved,PrepareForShutdown}, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 795061b9..6c5778a2 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew}, + member={UserNew,SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.ModemManager[0-9], diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 8aaa47e1..51c95970 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,6 +15,14 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus bind bus=system + name=org.freedesktop.oom[0-9], + @{exec_path} mr, /etc/systemd/oomd.conf r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 13a5dc58..f2e385d6 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -28,6 +28,17 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager, + + dbus bind bus=system + name=org.freedesktop.resolve[0-9], + @{exec_path} mr, /etc/systemd/resolved.conf r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index c0dc9ffc..56805647 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -46,7 +46,7 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=SessionNew, + member={SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.PackageKit, From 0cbcbb29a4cc8b2f281c153e06adb18085735405 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 21:42:25 +0100 Subject: [PATCH 049/165] feat(profiles): improve/update apt related profiles. --- apparmor.d/groups/apt/apt | 127 ++++++++++----------- apparmor.d/groups/apt/apt-cache | 13 ++- apparmor.d/groups/apt/apt-cdrom | 6 +- apparmor.d/groups/apt/apt-config | 5 +- apparmor.d/groups/apt/apt-extracttemplates | 13 ++- apparmor.d/groups/apt/apt-file | 7 +- apparmor.d/groups/apt/apt-forktracer | 18 +-- apparmor.d/groups/apt/dpkg-preconfigure | 6 +- apparmor.d/groups/apt/dpkg-query | 1 + apparmor.d/groups/apt/unattended-upgrade | 16 ++- 10 files changed, 113 insertions(+), 99 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 3301e999..848ae80d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -70,79 +70,81 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/snap rPUx, /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, - /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - /usr/share/command-not-found/cnf-update-db rPx, + + # For building the source after the download process is finished (apt-get source --compile) + /{usr/,}bin/dpkg-buildpackage rPUx, # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, + /{usr/,}lib/apt/methods/* rPx, + + # Ubuntu specificities + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + /usr/share/command-not-found/cnf-update-db rPx, + + # For editing the sources.list file + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + + # For changelogs + /{usr/,}bin/sensible-pager rCx -> pager, + + /etc/apt/sources.list rwk, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, /var/lib/apt/extended_states{,.*} rw, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, /var/lib/apt/periodic/update-success-stamp rw, - - /var/log/apt/eipp.log.xz w, - /var/log/apt/{term,history}.log w, - - # For building the source after the download process is finished (apt-get source --compile) - /{usr/,}bin/dpkg-buildpackage rPUx, - - # For editing the sources.list file - /etc/apt/sources.list rwk, - /{usr/,}bin/sensible-editor rCx -> editor, - /{usr/,}bin/vim.* rCx -> editor, - - # For changelogs - /tmp/apt-changelog-*/ w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - /tmp/apt-changelog-*/*.changelog w, - /{usr/,}bin/sensible-pager rCx -> pager, - /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /var/lib/update-notifier/dpkg-run-stamp rw, + + /var/log/apt/{term,history}.log w, + /var/log/apt/eipp.log.xz w, + + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + + /tmp/ r, + /tmp/apt-changelog-*/ w, + /tmp/apt-changelog-*/*.changelog w, + owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + owner /tmp/apt.conf.* rw, + owner /tmp/apt.data.* rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, /dev/ptmx rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /tmp/ r, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, - - /var/cache/apt/ r, - /var/cache/apt/** rwk, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - @{run}/systemd/inhibit/[0-9]*.ref rw, profile editor flags=(complain) { include include - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - - owner @{HOME}/.selected_editor r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/which{,.debianutils} rix, /usr/share/vim/{,**} r, - /etc/vim/{,**} r, - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, /etc/apt/sources.list rw, + /etc/vim/{,**} r, + + owner @{HOME}/.viminfo{,.tmp} rw, + owner @{HOME}/.selected_editor r, + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, } @@ -152,40 +154,37 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/less rix, + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, + /root/ r, # For shell pwd owner @{HOME}/.less* rw, owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, - # For shell pwd - /root/ r, - } profile dpkg-source flags=(complain) { include - include include + include /{usr/,}bin/dpkg-source mr, /{usr/,}bin/perl r, - /{usr/,}bin/tar rix, /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/gunzip rix, /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 5a47c906..d1205544 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,23 +10,23 @@ include @{exec_path} = /{usr/,}bin/apt-cache profile apt-cache @{exec_path} { include - include include + include @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 90e96c33..48c0f8af 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -9,8 +9,8 @@ include @{exec_path} = /{usr/,}bin/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include include + include capability dac_read_search, @@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) { /{usr/,}bin/mount rCx -> mount, /{usr/,}bin/umount rCx -> umount, + /etc/fstab r, + # Are all of these needed? (#FIXME#) @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{sys}/devices/**/uevent r, @{run}/udev/data/* r, - /etc/fstab r, - # For cd-roms /media/cdrom[0-9]/ r, /media/cdrom[0-9]/**/ r, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index bd3d7df8..531b1f70 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/apt-config profile apt-config @{exec_path} { include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 49c8253e..d12e7816 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - owner /tmp/*.{config,template}.?????? rw, - # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + owner /tmp/*.{config,template}.?????? rw, + + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 215eb3a6..727e3f3c 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,13 +26,13 @@ profile apt-file @{exec_path} { /etc/apt/apt-file.conf r, - owner @{PROC}/@{pid}/fd/ r, - # For shell pwd /root/ r, # file_inherit /var/log/cron-apt/temp w, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 0641c9bc..c9061155 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/apt-forktracer profile apt-forktracer @{exec_path} { include - include include + include @{exec_path} mr, @@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} { /{usr/,}bin/apt-cache rPx, /usr/share/apt-forktracer/{,**} r, + /usr/share/distro-info/debian.csv r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_InRelease r, /var/cache/apt/pkgcache.bin{,.*} rw, - /usr/share/distro-info/debian.csv r, - - owner @{PROC}/@{pid}/fd/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /etc/dpkg/origins/debian r, /etc/debian_version r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index bd958a39..586947e8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -35,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { owner /tmp/*.config.* rwPUx, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include @@ -44,9 +46,7 @@ profile dpkg-preconfigure @{exec_path} { capability dac_read_search, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, - owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index 8cb2f05d..8a52dd1e 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} { # file_inherit /tmp/#[0-9]*[0-9] rw, + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8f851253..fbc8821e 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -43,19 +43,25 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/uname rix, + /{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/on_ac_power rPx, /{usr/,}{s,}bin/sendmail rPUx, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/etckeeper rPx, - /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/uname rix, /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/distro-info/* r, /usr/share/dpkg/*table r, @@ -93,5 +99,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, + /dev/ptmx rw, + include if exists } \ No newline at end of file From d998b1dd6efea869468ba210f2c585ee4dcefa24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:04:12 +0100 Subject: [PATCH 050/165] feat(profiles): improve ubuntu compatibility. --- .../freedesktop/plymouth-set-default-theme | 2 ++ .../groups/freedesktop/xdg-document-portal | 4 ++++ apparmor.d/groups/freedesktop/xkbcomp | 2 ++ apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/freedesktop/xrdb | 1 + apparmor.d/groups/freedesktop/xwayland | 3 ++- apparmor.d/groups/gnome/gdm-x-session | 5 ++-- apparmor.d/groups/gnome/gnome-control-center | 24 +++++++++++++------ .../gnome/gnome-control-center-print-renderer | 2 ++ apparmor.d/groups/gnome/gnome-extension-ding | 13 +++++++--- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/gnome-system-monitor | 5 ++++ apparmor.d/groups/gnome/tracker-extract | 9 +++++-- apparmor.d/groups/gvfs/gvfsd-fuse | 20 +++++++++------- apparmor.d/groups/ssh/sshd | 2 ++ .../groups/systemd/systemd-vconsole-setup | 6 +++-- apparmor.d/groups/ubuntu/apt-esm-hook | 2 ++ .../groups/ubuntu/check-new-release-gtk | 3 +++ .../groups/ubuntu/list-oem-metapackages | 5 ++++ .../groups/ubuntu/livepatch-notification | 2 ++ .../ubuntu/update-motd-updates-available | 2 ++ apparmor.d/groups/ubuntu/update-notifier | 2 ++ apparmor.d/profiles-a-f/anacron | 5 +++- apparmor.d/profiles-a-f/fwupdmgr | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 3 ++- apparmor.d/profiles-m-r/qemu-ga | 6 +++++ apparmor.d/profiles-s-z/spice-vdagent | 5 ++-- apparmor.d/profiles-s-z/umount | 3 +-- 29 files changed, 109 insertions(+), 34 deletions(-) diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index 17c2a2b8..b53b39fe 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} { /{usr/,}bin/grep rix, /{usr/,}bin/plymouth rPx, + /etc/plymouth/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 7c0c975d..ca2b2c3a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,6 +12,8 @@ profile xdg-document-portal @{exec_path} { ptrace (read) peer=xdg-desktop-portal, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), + @{exec_path} mr, /{usr/,}bin/flatpak rCx -> flatpak, @@ -57,6 +59,8 @@ profile xdg-document-portal @{exec_path} { capability sys_admin, capability dac_read_search, + unix (send receive) type=stream peer=(label=xdg-document-portal), + # network inet stream, # network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index b4235da9..5143346a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -12,6 +12,8 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { include unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + unix (send,receive) type=stream addr=none peer=(label=xwayland), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index cfd45274..ab5783ba 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -10,7 +10,7 @@ include @{exec_path} = /{usr/,}bin/X @{exec_path} += /{usr/,}bin/Xorg @{exec_path} += /{usr/,}lib/Xorg{,.wrap} -@{exec_path} += /{usr/,}lib/xorg/Xorg +@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 7f82aaa4..066d8a7c 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -18,6 +18,7 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + /usr/include/stdc-predef.h r, /etc/X11/Xresources/x11-common r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index dd354cf8..eae9f065 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -19,7 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, - unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 7fafce5a..dfddfb6c 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -22,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/Xorg rPx, /{usr/,}bin/dbus-run-session rPx, - /etc/gdm/Xsession rPx, + /etc/gdm{3,}/Xsession rPx, + /etc/gdm{3,}/Prime/Default rix, - /etc/gdm/custom.conf r, + /etc/gdm{3,}/custom.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a97fdf76..09233126 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -85,17 +85,24 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/bash rUx, - /{usr/,}bin/bwrap rPUx, - /{usr/,}bin/gcm-viewer rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/openvpn rPx, - /{usr/,}bin/passwd rPx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + + /{usr/,}bin/gcm-viewer rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/sed rix, + @{libexec}/gnome-control-center-goa-helper rPx, @{libexec}/gnome-control-center-print-renderer rPx, + /{usr/,}bin/bwrap rPUx, + /{usr/,}bin/openvpn rPx, + /{usr/,}bin/passwd rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + /usr/share/language-tools/language2locale rix, - /usr/share/backgrounds/gnome/* r, + /snap/*/[0-9]*/*.png r, + /usr/share/backgrounds/{,**} r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, @@ -106,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, + /usr/share/ubuntu/applications/ r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -115,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/icons/ r, owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -130,6 +139,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index ee7cddc9..43324261 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -32,6 +32,8 @@ profile gnome-control-center-print-renderer @{exec_path} { /var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/snapd/desktop/icons/{,**} r, + owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index fb129e7f..07a34d14 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} { include include + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={ListNames,ListActivatableNames}, @@ -34,15 +36,20 @@ profile gnome-extension-ding @{exec_path} { @{exec_path} mr, - /{usr/,}bin/env rix, - /{usr/,}bin/gjs-console rix, - /{usr/,}bin/nautilus rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, + /{usr/,}bin/gjs-console rix, + /{usr/,}bin/gnome-control-center rPx, + /{usr/,}bin/nautilus rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/thumbnailers/{,*.thumbnailer} r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/{,**} r, + /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 14ba09f8..0c245569 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -43,6 +43,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, + @{run}/user/@{uid}/keyring/control r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3a5e8228..01c68047 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (send), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + unix (send,receive) type=stream addr=none peer=(label=xkbcomp), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,login[0-9].*}, @@ -118,6 +119,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, /opt/*/**/*.png r, + /snap/*/@{uid}/*.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 47b27808..a24ecee8 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -31,9 +31,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-system-monitor/{,**} r, /usr/share/pixmaps/{,**} r, + /usr/share/ubuntu/applications/{,**} r, /etc/machine-id r, + /var/lib/snapd/desktop/icons/ r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/doc/ rw, @@ -50,10 +53,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @{PROC}/ r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/tcp{,6} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 24b5d340..f3fa89e5 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} { include include include + include network netlink raw, @@ -38,15 +39,18 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/snapd/desktop/applications/*.desktop r, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - + + owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{run}/user/@{uid}/bus rw, @{run}/blkid/blkid.tab r, @@ -59,6 +63,7 @@ profile tracker-extract @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + /dev/dri/card[0-9]* rw, /dev/dri/renderD128 rw, /dev/media[0-9]* r, /dev/video[0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index d4a8184e..eff61925 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -13,37 +13,39 @@ profile gvfsd-fuse @{exec_path} { include include + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), + + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, - @{PROC}/sys/fs/pipe-max-size r, - profile fusermount { include include - # To mount anything: - capability sys_admin, - capability dac_read_search, + capability sys_admin, # To mount anything - /{usr/,}bin/fusermount{,3} mr, + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, + /{usr/,}bin/fusermount{,3} mr, + /etc/fuse.conf r, /etc/machine-id r, - /dev/fuse rw, - @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + } include if exists diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fb036f2e..85c83573 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, capability dac_read_search, + capability fowner, capability kill, capability net_bind_service, capability setgid, @@ -86,6 +87,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/resolvconf/resolv.conf r, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, + @{run}/faillock/[a-zA-z0-9]* rwk, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index a74fc276..06d46ab6 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -10,6 +10,7 @@ include profile systemd-vconsole-setup @{exec_path} { include include + include include capability sys_ptrace, @@ -18,10 +19,11 @@ profile systemd-vconsole-setup @{exec_path} { @{exec_path} mr, - /{usr/,}bin/loadkeys rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/loadkeys rix, / r, - /usr/share/kbd/keymaps/{,**} r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 3492a1a8..5eff6c45 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -10,6 +10,7 @@ include profile apt-esm-hook @{exec_path} { include include + include @{exec_path} mr, @@ -17,6 +18,7 @@ profile apt-esm-hook @{exec_path} { /etc/machine-id r, + /var/cache/apt/pkgcache.bin.* rw, /var/lib/ubuntu-advantage/messages/{,**} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 079a6fa4..de44a851 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include include include include @@ -39,6 +40,8 @@ profile check-new-release-gtk @{exec_path} { /etc/update-manager/{,**} r, + /var/lib/update-manager/{,**} rw, + owner @{user_cache_dirs}/update-manager-core/{,**} rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index ec8706f8..d17f809c 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -18,9 +18,14 @@ profile list-oem-metapackages @{exec_path} { /{usr/,}bin/dpkg rPx, /{usr/,}bin/ischroot rix, + /etc/machine-id r, + + @{sys}/devices/ r, @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/filesystems r, include if exists diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index ece827ff..2b6c6da5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -22,5 +22,7 @@ profile livepatch-notification @{exec_path} { owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, + @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index d31d1730..47e1ccf4 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -43,6 +43,8 @@ profile update-motd-updates-available @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, + /tmp/ r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4ce92cf6..450b1ca7 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -10,8 +10,10 @@ include profile update-notifier @{exec_path} { include include + include include include + include include include include diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index ed1e9635..73f0d81e 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/anacron profile anacron @{exec_path} { include + include @{exec_path} mr, @@ -18,7 +19,9 @@ profile anacron @{exec_path} { / r, /etc/anacrontab r, - /var/spool/anacron/cron.* rw, + /var/spool/anacron/cron.* rwk, + + /tmp/file* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index c3adcd6e..57144bb0 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -31,6 +31,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/machine-id r, + owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 9685ea69..f8115614 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -97,8 +97,9 @@ profile mkinitramfs @{exec_path} { /{usr/,}bin/ldd mr, - /{usr/,}bin/kmod mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kmod mr, + /{usr/,}lib/initramfs-tools/bin/* mr, /{usr/,}lib/@{multiarch}/ld-*.so* rix, /{usr/,}lib{,x}32/ld-*.so rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index db6ff8dd..c5072be2 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -10,8 +10,14 @@ include profile qemu-ga @{exec_path} { include + capability mknod, + capability net_admin, + capability sys_ptrace, + @{exec_path} mr, + /{usr/,}bin/systemctl rix, + /etc/qemu/qemu-ga.conf r, owner @{run}/qga.state* rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 6f9939d0..690023d7 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,16 +12,15 @@ profile spice-vdagent @{exec_path} { include include include + include @{exec_path} mr, - /etc/machine-id r, /etc/pipewire/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/pci[0-9]*/**/{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 89c238b5..b30fb5eb 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -11,6 +11,7 @@ include profile umount @{exec_path} flags=(complain) { include include + include include capability chown, @@ -44,8 +45,6 @@ profile umount @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, - @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, - owner @{run}/mount/ rw, owner @{run}/mount/utab.lock wk, @{run}/mount/utab{,.*} rw, From 039b7ab2cbde0108d1bface3129d8f5db471d38e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:05:03 +0100 Subject: [PATCH 051/165] feat(profiles): update polkit-mate-authentication-agent. --- .../polkit-mate-authentication-agent | 32 ++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 38ee6a3b..687664b4 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,14 +10,15 @@ include @{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9] profile polkit-mate-authentication-agent @{exec_path} { include - include - include - include - include - include + include include include + include + include + include + include include + include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} { /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/X11/xkb/** r, /var/lib/dbus/machine-id r, /etc/machine-id r, owner @{HOME}/.Xauthority r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /usr/share/X11/xkb/** r, - - # file_inherit owner /dev/tty[0-9]* rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } From 10148786d2e8a0a71e0ce45cffa9e4c868fcc88c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:08:33 +0100 Subject: [PATCH 052/165] feat(profiles): add some freedesktop related profiles. --- .../groups/freedesktop/desktop-file-install | 16 +++++++++++++++ .../groups/freedesktop/xdg-desktop-icon | 16 +++++++++++++++ .../freedesktop/xdg-user-dirs-gtk-update | 20 +++++++++++++++++++ apparmor.d/profiles-a-f/cracklib-packer | 16 +++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/desktop-file-install create mode 100644 apparmor.d/groups/freedesktop/xdg-desktop-icon create mode 100644 apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update create mode 100644 apparmor.d/profiles-a-f/cracklib-packer diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install new file mode 100644 index 00000000..d5903645 --- /dev/null +++ b/apparmor.d/groups/freedesktop/desktop-file-install @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/desktop-file-install +profile desktop-file-install @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon new file mode 100644 index 00000000..a069396d --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xdg-desktop-icon +profile xdg-desktop-icon @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update new file mode 100644 index 00000000..04af0cba --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update +profile xdg-user-dirs-gtk-update @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.locale r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer new file mode 100644 index 00000000..8ef3e295 --- /dev/null +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/cracklib-packer +profile cracklib-packer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From 7c2e92ba03eb4711af78f5d2eb53d1793665ba5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:09:23 +0100 Subject: [PATCH 053/165] feat(profiles): add nologin. --- apparmor.d/profiles-m-r/nologin | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/profiles-m-r/nologin diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin new file mode 100644 index 00000000..252f9054 --- /dev/null +++ b/apparmor.d/profiles-m-r/nologin @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/nologin +profile nologin @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From f71c0e41f8978c9f3487f9738b1b70e9a362872b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:13:17 +0100 Subject: [PATCH 054/165] feat(profiles): minor improvments. --- apparmor.d/abstractions/X-strict | 3 ++ apparmor.d/abstractions/ibus.d/complete | 4 ++ apparmor.d/abstractions/python.d/complete | 6 ++- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/freedesktop/colord-sane | 2 + .../freedesktop/update-desktop-database | 13 +++-- apparmor.d/groups/network/nm-dispatcher | 16 +++++- apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/systemd/systemd-analyze | 51 +++++++++---------- apparmor.d/groups/systemd/systemd-coredump | 4 +- apparmor.d/profiles-g-l/hugo | 2 + apparmor.d/profiles-m-r/mount | 30 ++++++----- apparmor.d/profiles-s-z/sudo | 2 + 13 files changed, 85 insertions(+), 51 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index e92e59f7..7294daab 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -9,7 +9,10 @@ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /tmp/.X11-unix/* rw, + /tmp/.ICE-unix/* rw, # Available Xsessions /usr/share/xsessions/{,*.desktop} r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 24f187ac..77ac0f29 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -16,3 +16,7 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*"), + + unix (connect, send, receive, accept, bind, listen) + type=stream + addr="@/home/*/.cache/ibus/dbus-*", diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index bef2e478..22e5a9bc 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -1,8 +1,10 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + /{usr/,}bin/ r, + /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r, /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 21def9d2..f222d87c 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/cron +@{exec_path} = /{usr/,}{s,}bin/cron profile cron @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 465b88a1..f395bb11 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -14,6 +14,8 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include include + network inet dgram, + network inet6 dgram, network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 0ccc239e..b994cc28 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/exports/share/applications/{,**/} r, - /var/lib/flatpak/exports/share/applications/**.desktop r, - /var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r, + /var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r, + /var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w, - /var/lib/flatpak/app/**/export/share/applications/**.desktop r, + /var/lib/snapd/desktop/applications/{,**/} r, + /var/lib/snapd/desktop/applications/**.desktop r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, + /var/lib/snapd/desktop/applications/mimeinfo.cache w, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 8945157e..0ca67990 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -7,14 +7,28 @@ abi , include @{exec_path} = /{usr/,}lib/nm-dispatcher +@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher profile nm-dispatcher @{exec_path} { include + include capability sys_nice, + dbus receive bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher, + + dbus bind bus=system + name=org.freedesktop.nm_dispatcher, + @{exec_path} mr, - /etc/NetworkManager/dispatcher.d/{,**} r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/run-parts rPx, + + /etc/NetworkManager/dispatcher.d/ r, + /etc/NetworkManager/dispatcher.d/** rix, + + @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 644d7408..050fdd2c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -70,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/vconsole.conf r, /usr/share/kbd/keymaps/{,**} r, + /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index a070b1e8..271a3eb3 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -28,38 +28,35 @@ profile systemd-analyze @{exec_path} { /{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/man rPx, + /usr/ r, + /{usr/,}lib/systemd/** r, + + /etc/default/locale r, + /etc/locale.conf r, + /etc/systemd/** r, + + owner /tmp/systemd-temporary-*/ rw, + + @{run}/systemd/system/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/firmware/acpi/tables/FPDT r, + @{sys}/fs/cgroup/{,**} r, + @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, + @{sys}/fs/cgroup/unified/**/init.scope/ rw, + @{sys}/module/**/uevent r, + + @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/comm r, @{PROC}/swaps r, - # For systemd-analyze cat-config - /etc/systemd/** r, - /{usr/,}lib/systemd/** r, - - @{sys}/fs/cgroup/{,**} r, - @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, - @{sys}/fs/cgroup/unified/**/init.scope/ rw, - @{sys}/firmware/acpi/tables/FPDT r, - - @{sys}/module/**/uevent r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, - - @{run}/udev/tags/systemd/ r, - @{run}/systemd/system/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - owner /tmp/systemd-temporary-*/ rw, - - /usr/ r, - - /etc/default/locale r, - /etc/locale.conf r, - - @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, - /dev/tty rw, /dev/pts/1 rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index c095b7e1..b37d8f5d 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -22,6 +22,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_ptrace, + mount -> /, + @{exec_path} mr, /{usr/,}bin/* r, @@ -30,8 +32,6 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { /opt/** r, / r, - mount -> /, - /etc/systemd/coredump.conf r, /var/lib/systemd/coredump/ r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 2be0f5ac..ba25cd0c 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -16,6 +16,8 @@ profile hugo @{exec_path} { @{exec_path} mr, + /{usr/,}bin/git rPx, + /usr/share/mime/{,**} r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index de172000..9bb767dc 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -29,10 +30,14 @@ profile mount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/ntfs-3g rPx, /{usr/,}{s,}bin/lowntfs-3g rPx, - /{usr/,}bin/sshfs rPx, /{usr/,}{s,}bin/mount.* rPx, + /{usr/,}bin/ntfs-3g rPx, + /{usr/,}bin/sshfs rPx, + + /etc/fstab r, + + /var/lib/snapd/snaps/*.snap r, # Mount points @{HOME}/ r, @@ -49,19 +54,18 @@ profile mount @{exec_path} flags=(complain) { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # The special /dev/loop-control file can be used to create and destroy loop devices or to find - # the first available loop device. - /dev/loop-control rw, - - /etc/fstab r, - - /tmp/sanity-squashfs-[0-9]* rw, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, + /tmp/sanity-squashfs-[0-9]* rw, + /tmp/syscheck-squashfs-[0-9]* rw, + + owner @{PROC}/@{pid}/mountinfo r, + + # The special /dev/loop-control file can be used to create and destroy loop + # devices or to find the first available loop device. + /dev/loop-control rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 94697309..d1877ade 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -37,6 +37,8 @@ profile sudo @{exec_path} { @{exec_path} mr, + /run/ r, + @{libexec}/sudo/** mr, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, From 391131aad1839e792d331b23e44b6a2e9971cddf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:14:11 +0100 Subject: [PATCH 055/165] feat(profiles): update pkexec. --- apparmor.d/profiles-m-r/pkexec | 38 +++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 4cb39fce..18ac7aa7 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,24 +18,34 @@ profile pkexec @{exec_path} flags=(complain) { signal (send) set=(term, kill) peer=polkit-agent-helper, - capability sys_ptrace, capability audit_write, capability dac_read_search, - - # gdbus - capability setgid, - # gmain - capability setuid, - - # Needed? - deny capability sys_nice, + capability setgid, # gdbus + capability setuid, # gmain + capability sys_ptrace, + audit deny capability sys_nice, ptrace (read), network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization}, + @{exec_path} mr, + # Apps to be run via pkexec + /{usr/,}{s,}bin/* rPUx, + /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-gtk rPx, + /etc/shells r, /etc/environment r, /etc/default/locale r, @@ -43,13 +54,6 @@ profile pkexec @{exec_path} flags=(complain) { @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, - # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/update-notifier/package-system-locked rPx, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, From 939363a9a78187d21fdee6589e57a0cb87d3dea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:14:29 +0100 Subject: [PATCH 056/165] feat(profiles): add mdevctl. --- apparmor.d/profiles-m-r/mdevctl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mdevctl diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl new file mode 100644 index 00000000..e0e87a50 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdevctl @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/mdevctl +profile mdevctl @{exec_path} { + include + + @{exec_path} mr, + + /etc/mdevctl.d/{,**} r, + + @{PROC}/@{pids}/maps r, + + @{sys}/bus/mdev/devices/ r, + @{sys}/class/mdev_bus/ r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r, + + include if exists +} \ No newline at end of file From 2c6843f5fe8df736fc4fc59fb4129f3a5a3f32bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:15:13 +0100 Subject: [PATCH 057/165] feat(profiles): add audit related profiles. --- apparmor.d/profiles-a-f/auditctl | 20 ++++++++++++++++++++ apparmor.d/profiles-a-f/augenrules | 25 +++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 apparmor.d/profiles-a-f/auditctl create mode 100644 apparmor.d/profiles-a-f/augenrules diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl new file mode 100644 index 00000000..b1f1fec8 --- /dev/null +++ b/apparmor.d/profiles-a-f/auditctl @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/auditctl +profile auditctl @{exec_path} { + include + + capability audit_control, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules new file mode 100644 index 00000000..f7356dd0 --- /dev/null +++ b/apparmor.d/profiles-a-f/augenrules @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/augenrules +profile augenrules @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/auditctl rPx, + + owner /tmp/aurules.* rw, + + /dev/tty rw, + + include if exists +} \ No newline at end of file From 20303f53e3a57347bd1c68a05e404a074b4dfbed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:16:25 +0100 Subject: [PATCH 058/165] feat(profiles): add the XDG_SCREENSHOTS_DIR variable. --- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/tunables/xdg-user-dirs | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 01c68047..23adf357 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -167,6 +167,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/monitors.xml{,~} rwl, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 5a58657e..f7ef793a 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -23,7 +23,9 @@ # Extra user personal directories @{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" +@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" + @{XDG_SYNC_DIR}="Sync" @{XDG_VM_DIR}=".vm" From 8487f5475a563847a9b4cbf1e4459d3e2c679ebd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 22:18:17 +0100 Subject: [PATCH 059/165] feat(profiles): update ubuntu advantage profiles. --- apparmor.d/groups/ubuntu/apport-gtk | 72 +++++++++++++++---- .../groups/ubuntu/package-system-locked | 1 + apparmor.d/groups/ubuntu/update-manager | 49 +++++++++++-- 3 files changed, 103 insertions(+), 19 deletions(-) diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index bf2eb41d..2f64f26c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -10,27 +10,45 @@ include profile apport-gtk @{exec_path} { include include + include + include + include + include include + include + include capability sys_ptrace, @{exec_path} mr, - /{usr/,}{s,}bin/killall5 rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/apt-cache rPx, - /{usr/,}bin/cut rix, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/gdb rCx -> gdb, - /{usr/,}bin/grep rix, - /{usr/,}bin/gsettings rPx, - /{usr/,}bin/journalctl rPx, - /{usr/,}bin/kmod rPx, - /{usr/,}bin/ldd rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/md5sum rix, + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{f,}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/ldd rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}lib/@{multiarch}/ld*.so* rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/pkexec rPx, # TODO: rCx or something + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg-divert rPx, + /{usr/,}bin/gdb rCx -> gdb, + /{usr/,}bin/gsettings rPx, + /{usr/,}bin/journalctl rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /usr/share/alsa/{,**} r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/apport/blacklist.d/apport r, /etc/apport/blacklist.d/README.blacklist r, @@ -40,19 +58,45 @@ profile apport-gtk @{exec_path} { /etc/default/apport r, /etc/init.d/apport r, /etc/logrotate.d/apport r, + /etc/xdg/autostart/*.desktop r, + /var/crash/{,*.@{uid}.crash} r, + /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, + + /tmp/[a-z0-9]* rw, + /tmp/apport_core_* rw, + /tmp/launchpadlib.cache.[a-z0-9]*/ w, + /tmp/tmp[a-z0-9]*/{,**} rw, + owner @{PROC}/@{pid}/cgroup r, @{PROC}/ r, - @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, + @{PROC}/modules r, + @{PROC}/version_signature r, profile gdb { include + include + include + /{usr/,}bin/gdb mr, + + /{usr/,}bin/iconv rix, + /{usr/,}{s,}bin/* r, + + /usr/share/gdb/{,**} r, + + /etc/gdb/{,**} r, + + /tmp/apport_core_* r, + + @{PROC}/@{pids}/fd/ r, } diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 705eb72d..5ad67ae7 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -26,6 +26,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/stat r, @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 869866f3..3a947ef9 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -7,14 +7,44 @@ abi , include @{exec_path} = /{usr/,}bin/update-manager -profile update-manager @{exec_path} { +profile update-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include include - include include + include include - include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} + interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}} + member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=StartServiceByName, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, @{exec_path} mr, @@ -28,7 +58,9 @@ profile update-manager @{exec_path} { /usr/share/applications/{,**} r, /usr/share/distro-info/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/pixmaps/{,*} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, @@ -36,12 +68,19 @@ profile update-manager @{exec_path} { /etc/machine-id r, /etc/update-manager/{,**} r, + /boot/ r, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/updates/ r, + /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, + /var/lib/snapd/desktop/icons/{,*} r, /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + @{run}/systemd/inhibit/*.ref w, owner @{PROC}/@{pid}/fd/ r, From cc78bedddaff3a658f50efe88e425c18d9f483c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:03:46 +0100 Subject: [PATCH 060/165] feat(profiles): disks add support for zfs. --- apparmor.d/abstractions/disks-read | 29 ++++++++++++---------------- apparmor.d/abstractions/disks-write | 30 ++++++++++++++--------------- 2 files changed, 27 insertions(+), 32 deletions(-) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 09cca718..146a45be 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -38,6 +38,11 @@ @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, + # ZFS devices + /dev/zd[0-9]* rk, + @{sys}/devices/virtual/block/zd[0-9]*/ r, + @{sys}/devices/virtual/block/zd[0-9]*/** r, + # ZRAM devices /dev/zram[0-9]* rk, @{sys}/devices/virtual/block/zram[0-9]*/ r, @@ -81,27 +86,17 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b252:[0-9]* r, + @{run}/udev/data/b253:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b230:[0-9]* r, # /dev/zvol* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ec836de5..e72a8906 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -39,6 +39,11 @@ @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, + # ZFS devices + /dev/zd[0-9]* rwk, + @{sys}/devices/virtual/block/zd[0-9]*/ r, + @{sys}/devices/virtual/block/zd[0-9]*/** r, + # ZRAM devices /dev/zram[0-9]* rwk, @{sys}/devices/virtual/block/zram[0-9]*/ r, @@ -63,22 +68,17 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b252:[0-9]* r, + @{run}/udev/data/b253:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + + @{run}/udev/data/b230:[0-9]* r, # /dev/zvol* + @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* From 9d81f5e88fa7c8ba2ba3cd8338d9664aeb3a135b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:06:34 +0100 Subject: [PATCH 061/165] feat(profiles): reorganise the cron & run-parts profiles. --- apparmor.d/groups/cron/cron | 95 ++++----------------- apparmor.d/groups/cron/cron-anacron | 19 +++++ apparmor.d/groups/cron/cron-apport | 22 +++++ apparmor.d/profiles-m-r/run-parts | 126 ++++++++++++++++++++++------ 4 files changed, 157 insertions(+), 105 deletions(-) create mode 100644 apparmor.d/groups/cron/cron-anacron create mode 100644 apparmor.d/groups/cron/cron-apport diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index f222d87c..3c77eca7 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -10,14 +10,15 @@ include @{exec_path} = /{usr/,}{s,}bin/cron profile cron @{exec_path} { include - include + include include + include include - capability setuid, - capability setgid, - capability dac_read_search, capability audit_write, + capability dac_read_search, + capability setgid, + capability setuid, capability sys_resource, network netlink raw, @@ -26,36 +27,21 @@ profile cron @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/run-parts rPx, - /etc/crontab r, - - # All stuff that is executed via the /etc/cron.d/ dir - /etc/cron.d/{,*} r, - /{usr/,}sbin/cron-apt rPx, - /{usr/,}bin/debsecan rPx, /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - /{usr/,}sbin/e2scrub_all rPUx, - /etc/cron.daily/popularity-contest rPx, /{usr/,}lib/sysstat/debian-sa1 rPUx, - /{usr/,}{s,}bin/sendmail rPUx, - - # All stuff that is executed via the user crontab files - /{usr/,}bin/apt-file rPx, - /{usr/,}bin/apt-key rPx, - /{usr/,}bin/rsync rPUx, /usr/share/rsync/scripts/rrsync rPUx, - /{usr/,}bin/gpg rPx, - /{usr/,}sbin/update-pciids rPx, - /{usr/,}bin/borg rPx, + /usr/local/lib/pki/pki-realm rPUx, # TODO: FIXME: NO COMMIT ZENFRA ONLY - # Cron scripts in the /etc/cron.*/ dir to execute - /{usr/,}bin/run-parts rCx -> run-parts, - - # Send results using email - /{usr/,}sbin/exim4 rPx, + /etc/cron.d/{,*} r, + /etc/crontab r, + /etc/default/locale r, + /etc/environment r, + /etc/security/limits.d/{,**} r, /var/spool/cron/crontabs/{,*} r, @@ -66,56 +52,7 @@ profile cron @{exec_path} { owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, - - /etc/environment r, - - /etc/default/locale r, - - @{PROC}/1/limits r, - /etc/security/limits.d/ r, - - profile run-parts { - include - - /{usr/,}bin/run-parts mr, - - /etc/cron.{hourly,daily,weekly,monthly}/ r, - /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, - /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, - /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, - /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, - /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, - /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, - /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, - /etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/man-db rPx, - /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, - /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, - /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx, - /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, - /etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx, - - #/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx, - #/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx, - #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx, - #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx, - #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx, - - # file_inherit - owner /tmp/#[0-9]*[0-9] rw, - - include if exists - } + @{PROC}/1/limits r, include if exists } diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron new file mode 100644 index 00000000..f4aa8d12 --- /dev/null +++ b/apparmor.d/groups/cron/cron-anacron @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron +profile cron-anacron @{exec_path} { + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{s,}bin/anacron rPx, + + include if exists +} diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport new file mode 100644 index 00000000..387fa938 --- /dev/null +++ b/apparmor.d/groups/cron/cron-apport @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport +profile cron-apport @{exec_path} { + include + + @{exec_path} r, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/find rix, + + / r, + /var/crash/ r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index ee622d5a..f3a048c4 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -14,59 +14,130 @@ profile run-parts @{exec_path} { @{exec_path} mr, - # This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified + # Crontrab + /etc/cron.{hourly,daily,weekly,monthly}/ r, + /etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apport rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, + /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx, + /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, + /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, + /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, + /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, + /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx, + /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, + /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/man-db rPx, + /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, + /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, + /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, + /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx, + + # Network + /etc/network/if-down.d/ r, + /etc/network/if-down.d/openvpn rPUx, + /etc/network/if-down.d/resolvconf rPUx, + /etc/network/if-down.d/wpasupplicant rPUx, + + /etc/hostapd/ifupdown.sh rPUx, + /etc/macchanger/ifupdown.sh rPUx, + /etc/wpa_supplicant/ifupdown.sh rPUx, + + /etc/network/if-post-down.d/ r, + /etc/network/if-post-down.d/bridge rPUx, + /etc/network/if-post-down.d/chrony rPUx, + /etc/network/if-post-down.d/hostapd rPUx, + /etc/network/if-post-down.d/ifenslave rPUx, + /etc/network/if-post-down.d/macchanger rPUx, + /etc/network/if-post-down.d/wireless-tools rPUx, + /etc/network/if-post-down.d/wpasupplicant rPUx, + + /etc/network/if-pre-up.d/ r, + /etc/network/if-pre-up.d/bridge rPUx, + /etc/network/if-pre-up.d/ethtool rPUx, + /etc/network/if-pre-up.d/hostapd rPUx, + /etc/network/if-pre-up.d/ifenslave rPUx, + /etc/network/if-pre-up.d/macchanger rPUx, + /etc/network/if-pre-up.d/random-secret rPUx, + /etc/network/if-pre-up.d/wireless-tools rPUx, + /etc/network/if-pre-up.d/wpasupplicant rPUx, + + /etc/network/if-up.d/ r, + /etc/network/if-up.d/*resolvconf rPUx, + /etc/network/if-up.d/avahi-autoipd rPUx, + /etc/network/if-up.d/chrony rPUx, + /etc/network/if-up.d/ethtool rPUx, + /etc/network/if-up.d/ifenslave rPUx, + /etc/network/if-up.d/openvpn rPUx, + /etc/network/if-up.d/wpasupplicant rPUx, + + # Motd /etc/update-motd.d/ r, /etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd, - # The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages + # Kernel /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel-pre-post, + /etc/kernel/header_postinst.d/dkms rCx -> kernel, /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post, - /etc/kernel/postinst.d/dkms rCx -> kernel-pre-post, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel-pre-post, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel-pre-post, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel-pre-post, + /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, + /etc/kernel/postinst.d/dkms rCx -> kernel, + /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, + /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, + /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel-pre-post, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel-pre-post, + /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, + /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel-pre-post, + /etc/kernel/preinst.d/intel-microcode rCx -> kernel, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel-pre-post, - - /etc/molly-guard/run.d/ r, - /etc/cron.hourly/ r, + /etc/kernel/prerm.d/dkms rCx -> kernel, owner /tmp/#[0-9]*[0-9] rw, - + owner /tmp/file* rw, profile motd { include - / r, - /etc/update-motd.d/[0-9]*-[a-z]* r, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/find rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, /{usr/,}bin/tr rix, /{usr/,}bin/uname rix, + /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd rPx, + /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx, + /{usr/,}lib/update-notifier/update-motd-reboot-required rix, /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + / r, + /etc/lsb-release r, + /etc/update-motd.d/[0-9]*-[a-z]* r, + + /var/lib/update-notifier/updates-available r, + } - profile kernel-pre-post { + profile kernel { include include - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, @@ -85,17 +156,20 @@ profile run-parts @{exec_path} { /{usr/,}bin/uname rix, /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}{s,}bin/dkms rPx, + /{usr/,}{s,}bin/update-grub rPUx, + /{usr/,}{s,}bin/update-initramfs rPx, /{usr/,}bin/apt-config rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/systemd-detect-virt rPx, /{usr/,}lib/dkms/dkms_autoinstaller rPx, - /{usr/,}sbin/dkms rPx, - /{usr/,}sbin/update-grub rPUx, - /{usr/,}sbin/update-initramfs rPx, /{usr/,}lib/modules/*/updates/ w, /{usr/,}lib/modules/*/updates/dkms/ w, + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + # For shell pwd / r, /boot/ r, From fb61f8ebfff7754042124679849a2e3d9b115835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:07:35 +0100 Subject: [PATCH 062/165] feat(profiles): add language-validate. --- apparmor.d/groups/freedesktop/accounts-daemon | 2 ++ apparmor.d/profiles-g-l/language-validate | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-g-l/language-validate diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 77416964..8c49c484 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -57,6 +57,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/language-tools/language-validate rPx, + /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate new file mode 100644 index 00000000..3c878be3 --- /dev/null +++ b/apparmor.d/profiles-g-l/language-validate @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/language-tools/language-validate +profile language-validate @{exec_path} { + include + + capability setgid, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, + /usr/share/language-tools/language-options rix, + + /usr/share/locale-langpack/{,*} r, + /usr/share/language-tools/{,*} r, + + include if exists +} \ No newline at end of file From a792c4cb4eb1cee268d3d40bb3f5a3d677900c05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:09:50 +0100 Subject: [PATCH 063/165] feat(profiles): add some missing ubuntu profiles. --- apparmor.d/groups/ubuntu/apt-esm-json-hook | 16 +++++++ apparmor.d/groups/ubuntu/release-upgrade-motd | 21 +++++++++ .../groups/ubuntu/update-motd-fsck-at-reboot | 46 +++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt-esm-json-hook create mode 100644 apparmor.d/groups/ubuntu/release-upgrade-motd create mode 100644 apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook new file mode 100644 index 00000000..31af9923 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook +profile apt-esm-json-hook @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd new file mode 100644 index 00000000..e47fbf14 --- /dev/null +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd +profile release-upgrade-motd @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/date rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/stat rix, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot new file mode 100644 index 00000000..8a443243 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot +profile update-motd-fsck-at-reboot @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}{s,}bin/dumpe2fs rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{m,}awk rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/stat rix, + + /var/lib/update-notifier/fsck-at-reboot rw, + + @{PROC}/uptime r, + + profile mount { + include + + /{usr/,}bin/mount mr, + + @{run}/mount/utab r, + + @{sys}/devices/virtual/block/**/ r, + @{sys}/devices/virtual/block/**/autoclear r, + @{sys}/devices/virtual/block/**/backing_file r, + + @{PROC}/@{pid}/mountinfo r, + + } + + include if exists +} \ No newline at end of file From 9ccda2a0a5831ffc8394792c47ed7df79e0f7be5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:11:46 +0100 Subject: [PATCH 064/165] feat(profiles): initial version of mount.zfs --- apparmor.d/profiles-m-r/mount-zfs | 35 +++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mount-zfs diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs new file mode 100644 index 00000000..00c7c193 --- /dev/null +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/mount.zfs +profile mount-zfs @{exec_path} flags=(complain) { + include + include + + capability sys_admin, # To mount anything. + + @{exec_path} mr, + + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + + mount fstype=zfs -> @{MOUNTDIRS}/, + mount fstype=zfs -> @{MOUNTS}/, + mount fstype=zfs -> @{MOUNTS}/*/, + mount fstype=zfs -> /, + mount fstype=zfs -> /*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount /, + umount /*/, + + include if exists +} From 10de7941b0800254028d10ce61821c31c5271603 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:12:38 +0100 Subject: [PATCH 065/165] feat(profiles): add fprintd. --- apparmor.d/profiles-a-f/fprintd | 48 +++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 apparmor.d/profiles-a-f/fprintd diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd new file mode 100644 index 00000000..8d32411c --- /dev/null +++ b/apparmor.d/profiles-a-f/fprintd @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/fprintd +profile fprintd @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability sys_nice, + + network netlink raw, + + dbus receive bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member={GetDefaultDevice,GetDevices}, + + dbus receive bus=system path=/net/reactivated/Fprint/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit + peer=(name=org.freedesktop.login[0-9]), + + dbus bind bus=system + name=net.reactivated.Fprint, + + @{exec_path} mr, + + /etc/fprintd.conf r, + + @{run}/systemd/journal/socket rw, + @{run}/systemd/inhibit/*.ref w, + + include if exists +} \ No newline at end of file From 454456a8446ec81ce85ef71d00b5adfbc71cfdea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:17:41 +0100 Subject: [PATCH 066/165] style(profiles): better header for the abstractions. --- apparmor.d/abstractions/X.d/complete | 2 +- apparmor.d/abstractions/audio.d/complete | 4 ++-- apparmor.d/abstractions/freedesktop.org.d/complete | 4 ++-- apparmor.d/abstractions/ibus.d/complete | 4 ++-- apparmor.d/abstractions/libvirt-lxc | 6 ++++-- apparmor.d/abstractions/libvirt-qemu | 9 ++++++--- apparmor.d/abstractions/wayland.d/complete | 4 ++-- 7 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/X.d/complete b/apparmor.d/abstractions/X.d/complete index f3777e71..19f4b967 100644 --- a/apparmor.d/abstractions/X.d/complete +++ b/apparmor.d/abstractions/X.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Available Xsessions diff --git a/apparmor.d/abstractions/audio.d/complete b/apparmor.d/abstractions/audio.d/complete index e05e79b8..251063f6 100644 --- a/apparmor.d/abstractions/audio.d/complete +++ b/apparmor.d/abstractions/audio.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /usr/share/sounds/ r, diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 77a045e6..b580e611 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only owner @{HOME}/.icons/default/index.theme r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 77ac0f29..103ac89a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # abstract path in ibus < 1.5.22 uses /tmp diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc index 5549fb8c..f925ac27 100644 --- a/apparmor.d/abstractions/libvirt-lxc +++ b/apparmor.d/abstractions/libvirt-lxc @@ -3,7 +3,9 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # allow receiving signals from libvirtd + include + + # Allow receiving signals from libvirtd signal (receive) peer=libvirtd, umount, @@ -119,4 +121,4 @@ deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, - include if exists + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index d238fc24..26acd605 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -1,8 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + include + include + include + # required for reading disk images capability dac_override, capability dac_read_search, @@ -251,5 +255,4 @@ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, - # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 2d5c3dea..43bb91c9 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only owner @{run}/user/@{uid}/wayland-[0-9]* rw, From 08bb1b44a68cea634c38ca32b64be5008b58944c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:25:45 +0100 Subject: [PATCH 067/165] style(profiles): small rules improvment. --- .../groups/freedesktop/xdg-desktop-portal | 4 +++ apparmor.d/groups/gnome/gnome-shell | 4 +-- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/nm-dispatcher | 4 +++ apparmor.d/groups/ssh/sshd | 3 +- apparmor.d/groups/systemd/journalctl | 31 +++++++++---------- apparmor.d/groups/systemd/systemd-makefs | 7 ++--- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-a-f/fsck | 2 +- apparmor.d/profiles-m-r/needrestart | 3 +- apparmor.d/profiles-s-z/switcheroo-control | 3 +- 11 files changed, 35 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 3741b43b..1570e6b3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -38,6 +38,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.NetworkManager member={StateChanged,CheckPermissions}, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 23adf357..fd6fbd6a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -45,6 +45,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), + unix (send,receive) type=stream addr=none peer=(label=xwayland), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,login[0-9].*}, @@ -83,8 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} - member={RegisterSession,Get,GetAll,OpenReauthenticationChannel} - peer=(name=org.gnome.DisplayManager), + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}, dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 6c5778a2..9132ee3c 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew,PrepareForShutdown}, + member={UserNew,SessionNew,PrepareForShutdown,SeatNew}, dbus bind bus=system name=org.freedesktop.ModemManager[0-9], diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 0ca67990..11dfdf16 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -14,6 +14,10 @@ profile nm-dispatcher @{exec_path} { capability sys_nice, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName}, + dbus receive bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 85c83573..ab522ceb 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -68,8 +68,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/environment r, /etc/gss/mech.d/{,*} r, - /etc/security/limits.d/ r, + /etc/issue.net r, /etc/motd r, + /etc/security/limits.d/{,*.conf} r, /etc/ssh/ssh_host_* r, /etc/ssh/sshd_config r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 43d1890e..1768c1af 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,24 +27,23 @@ profile journalctl @{exec_path} { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - - @{run}/host/container-manager r, - - # For --setup-keys and --verify - owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, - owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, - owner /var/tmp/#[0-9]* rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/[0-9a-f]*/ r, + /{run,var}/log/journal/[0-9a-f]*/system.journal* r, + /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, + owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, + owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, + owner /var/tmp/#[0-9]* rw, + + @{run}/host/container-manager r, + @{run}/systemd/journal/io.systemd.journal rw, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 01962a1d..dd6751c7 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-makefs profile systemd-makefs @{exec_path} { include + include + include capability net_admin, capability sys_resource, @@ -18,10 +20,5 @@ profile systemd-makefs @{exec_path} { /{usr/,}{s,}bin/mkswap rPx, /{usr/,}bin/mkfs.* rPx, - @{sys}/devices/virtual/block/zram[0-9]*/ r, - @{sys}/devices/virtual/block/zram[0-9]*/** r, - - /dev/zram[0-9]* rwk, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 0a6a24fc..52a4981c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -50,7 +50,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, /{usr,/}lib/pm-utils/power.d/* rPUx, - /{usr,/}lib/snapd/snap-device-helper rPx, # TODO: but later + /{usr,/}lib/snapd/snap-device-helper rPx, /{usr/,}lib/crda/* rPUx, /{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/systemd/systemd-* rPx, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 7d5adbfa..45a4c76a 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -33,7 +33,7 @@ profile fsck @{exec_path} { owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/mount/utab r, - @{run}/systemd/fsck.progress w, + @{run}/systemd/fsck.progress rw, @{PROC}/@{pids}/mountinfo r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 33176766..0eaa5148 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -41,8 +41,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /etc/debconf.conf r, /etc/needrestart/{,**} r, - /etc/needrestart/hook.d/* rix, - /etc/needrestart/restart.d/* rix, + /etc/needrestart/*.d/* rix, /etc/shadow r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 8bd1539a..7aef7a99 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -35,7 +35,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/**/uevent r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, + @{sys}/devices/pci[0-9]*/**/uevent r, include if exists } \ No newline at end of file From aea0b5d1d9726076889e8cba7f9ddbb0a12c1dee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:38:09 +0100 Subject: [PATCH 068/165] build: update flags definitions. --- dists/flags/debian.flags | 2 +- dists/flags/main.flags | 50 ++++++++++++++++++++++++++++++++-------- dists/flags/ubuntu.flags | 18 ++++++++++++++- 3 files changed, 59 insertions(+), 11 deletions(-) diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index 095eda15..b659675b 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -17,5 +17,5 @@ dpkg-vendor complain ifup complain macchanger complain run-parts complain -unattended-upgrade complain +unattended-upgrade attach_disconnected,complain unattended-upgrade-shutdown attach_disconnected,complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 26409e02..0e115545 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -3,10 +3,12 @@ acpid attach_disconnected,complain agetty complain -apport-checkreports complain +anacron complain atd complain auditctl complain auditd attach_disconnected,complain +augenrules complain +busctl complain cfdisk complain cgdisk complain cockpit-askpass complain @@ -28,6 +30,7 @@ fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain flatpak-session-helper complain +fprintd attach_disconnected,complain fsck-ext4 complain fuse-overlayfs complain fusermount complain @@ -40,12 +43,24 @@ glib-compile-resources complain glib-genmarshal complain glib-gettextize complain glib-mkenums complain +gnome-control-center attach_disconnected,complain +gnome-control-center-goa-helper complain gnome-disk-image-mounter complain gnome-disks complain gnome-music complain gnome-photos-thumbnailer complain +gnome-remote-desktop-daemon complain +gnome-session complain +gnome-session-custom-session complain +gnome-session-inhibit complain +gnome-session-quit complain gnome-shell attach_disconnected,complain +gnome-shell-extension-prefs complain +gnome-shell-extension-tool complain gnome-shell-hotplug-sniffer complain +gnome-shell-perf-helper complain +gnome-shell-perf-tool complain +gnome-shell-portal-helper complain gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain gnome-tweak-tool-lid-inhibitor complain @@ -55,6 +70,7 @@ gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain gvfsd-dav complain +homectl complain hostnamectl complain ibus-engine-table complain ibus-memconf complain @@ -67,33 +83,42 @@ last complain lastlog complain libvirt-dbus complain libvirtd attach_disconnected,complain -livepatch-notification complain locale-gen complain localectl complain login complain +loginctl complain +lvmpolld complain +machinectl complain man complain +mdevctl complain mke2fs complain +ModemManager attach_disconnected,complain molly-guard complain mount complain nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain +networkd-dispatcher complain nfsdcld complain nft complain nmap complain nullmailer-send complain oomctl complain -package-system-locked attach_disconnected,complain -packagekitd complain pass complain pass-import complain +pinentry complain +pinentry-curses complain +pinentry-gnome3 complain pinentry-gtk-2 complain pkttyagent complain plymouth complain plymouth-set-default-theme complain podman attach_disconnected,complain power-profiles-daemon attach_disconnected,complain +prime-switch complain qemu-ga complain +qrencode complain +repo complain resolvconf complain run-parts complain runuser complain @@ -101,14 +126,17 @@ s3fs complain scrcpy complain sftp-server complain slirp4netns attach_disconnected,complain +snap-device-helper complain spice-vdagent complain -spice-vdagentd complain +spice-vdagentd attach_disconnected,complain +splunkforwarder complain +ss complain ssh complain sshd attach_disconnected,complain su complain sudo complain sulogin complain -switcheroo-control complain +switcheroo-control attach_disconnected,complain swtpm complain swtpm_ioctl complain swtpm_localca complain @@ -132,6 +160,7 @@ systemd-growfs complain systemd-hibernate-resume complain systemd-homed complain systemd-homework complain +systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain systemd-id128 complain systemd-import complain @@ -141,7 +170,8 @@ systemd-inhibit systemd-journal-gatewayd complain systemd-journal-remote complain systemd-journal-upload complain -systemd-logind complain +systemd-localed attach_disconnected,complain +systemd-logind attach_disconnected,complain systemd-machine-id-setup complain systemd-machined complain systemd-makefs complain @@ -152,6 +182,8 @@ systemd-notify complain systemd-oomd attach_disconnected,complain systemd-path complain systemd-portabled complain +systemd-pstore complain +systemd-pull complain systemd-quotacheck complain systemd-random-seed complain systemd-remount-fs complain @@ -167,6 +199,7 @@ systemd-stdio-bridge complain systemd-sulogin-shell complain systemd-sysext complain systemd-time-wait-sync complain +systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-update-done complain systemd-update-utmp complain @@ -180,8 +213,6 @@ systemd-xdg-autostart-generator complain tailscaled complain timedatectl complain tracker-extract complain -ubuntu-advantage-notification complain -ubuntu-report complain udisksctl complain udisksd attach_disconnected,complain umount complain @@ -189,6 +220,7 @@ umount.udisks2 complain uptimed complain userdbctl complain virt-manager attach_disconnected,complain +virtiofsd complain virtlockd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index d196607b..0bcf03fd 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1 +1,17 @@ -aa-status complain +apport-checkreports complain +apport-gtk complain +apt-esm-hook complain +apt-esm-json-hook complain +check-new-release-gtk complain +hwe-support-status complain +list-oem-metapackages complain +livepatch-notification complain +package-system-locked attach_disconnected,complain +packagekitd complain +release-upgrade-motd complain +ubuntu-advantage-notification complain +ubuntu-report complain +update-manager attach_disconnected,complain +update-motd-fsck-at-reboot complain +update-motd-updates-available complain +update-notifier complain From 32e36b0c4a22e2b9c5e6add1e16bd12c7df10a30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:39:04 +0100 Subject: [PATCH 069/165] build: compatibility for debian. --- configure | 10 ++++------ dists/debian/tunables/etc | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 dists/debian/tunables/etc diff --git a/configure b/configure index 09aa5957..913517bf 100755 --- a/configure +++ b/configure @@ -5,7 +5,7 @@ set -eu -DISTRIBUTION="$(lsb_release --id --short)" +DISTRIBUTION="${DIST:-$(lsb_release --id --short)}" readonly DISTRIBUTION="${DISTRIBUTION,,}" readonly ROOT=.build @@ -63,15 +63,13 @@ configure() { ;; - debian|ubuntu) - if [[ "$DISTRIBUTION" == "debian" ]]; then - _msg "$DISTRIBUTION does not have etc tunable." - sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global" - + debian|ubuntu|whonix) + if [[ "$DISTRIBUTION" != "ubuntu" ]]; then _msg "$DISTRIBUTION does not support abi 3.0 yet." find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; cp -a dists/debian/abstractions/* $ROOT/apparmor.d/abstractions + cp -a dists/debian/tunables/* $ROOT/apparmor.d/tunables fi _msg "Configure libexec." diff --git a/dists/debian/tunables/etc b/dists/debian/tunables/etc new file mode 100644 index 00000000..8cfbdd40 --- /dev/null +++ b/dists/debian/tunables/etc @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{etc_ro} contains a space-separated list of the system configuration directories. +# Traditionally this means /etc/, but when using a read-only / filesystem and/or +# with the goal of having only user-modified config files in /etc/, directories +# like /usr/etc/ get introduced for storing the default config. + +# @{etc_ro} contains read-only directories with configuration files. +# Do not use @{etc_ro} in rules that allow write access. +@{etc_ro}=/etc/ /usr/etc/ + +# @{etc_rw} contains directories where writing to configuration files is allowed. +@{etc_rw}=/etc/ + +# Also, include files in tunables/etc.d/ for site-specific adjustments to +# @{etc_ro} and @{etc_rw}. +include if exists \ No newline at end of file From 55c0827c2a4325eb67438edac2f6e30912be7ddf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 19:40:25 +0100 Subject: [PATCH 070/165] chore: better profile ignore definition. --- dists/ignore/arch.ignore | 3 +++ dists/ignore/debian.ignore | 5 ++++- dists/ignore/ubuntu.ignore | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/dists/ignore/arch.ignore b/dists/ignore/arch.ignore index 0a76aee4..0556b95d 100644 --- a/dists/ignore/arch.ignore +++ b/dists/ignore/arch.ignore @@ -1,4 +1,7 @@ +# Debian specific definition apparmor.d/abstractions/apt-common apparmor.d/groups/apt apparmor.d/groups/cron + +# Ubuntu specific definition apparmor.d/groups/ubuntu diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 7cd8fefc..83ecb1d0 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -1,4 +1,7 @@ +# Archlinux specific apparmor.d/groups/pacman -apparmor.d/groups/ubuntu root/usr/share/libalpm +# Ubuntu specific definition +apparmor.d/groups/ubuntu + diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 8aa6d326..9cafc675 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,2 +1,3 @@ +# Archlinux specific apparmor.d/groups/pacman root/usr/share/libalpm From d93879d9dfc9e3748d4329d0e83a3f31a8ab63d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 20:14:32 +0100 Subject: [PATCH 071/165] chore: move some cron profiles. --- apparmor.d/groups/{apt => cron}/cron-apt | 0 apparmor.d/groups/{apt => cron}/cron-apt-compat | 0 apparmor.d/groups/{apt => cron}/cron-apt-listbugs | 0 apparmor.d/groups/{apt => cron}/cron-apt-show-versions | 0 apparmor.d/groups/{apt => cron}/cron-apt-xapian-index | 0 apparmor.d/groups/{apt => cron}/cron-aptitude | 0 apparmor.d/groups/{apt => cron}/cron-debsums | 0 apparmor.d/groups/{apt => cron}/cron-debtags | 0 apparmor.d/groups/{apt => cron}/cron-popularity-contest | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{apt => cron}/cron-apt (100%) rename apparmor.d/groups/{apt => cron}/cron-apt-compat (100%) rename apparmor.d/groups/{apt => cron}/cron-apt-listbugs (100%) rename apparmor.d/groups/{apt => cron}/cron-apt-show-versions (100%) rename apparmor.d/groups/{apt => cron}/cron-apt-xapian-index (100%) rename apparmor.d/groups/{apt => cron}/cron-aptitude (100%) rename apparmor.d/groups/{apt => cron}/cron-debsums (100%) rename apparmor.d/groups/{apt => cron}/cron-debtags (100%) rename apparmor.d/groups/{apt => cron}/cron-popularity-contest (100%) diff --git a/apparmor.d/groups/apt/cron-apt b/apparmor.d/groups/cron/cron-apt similarity index 100% rename from apparmor.d/groups/apt/cron-apt rename to apparmor.d/groups/cron/cron-apt diff --git a/apparmor.d/groups/apt/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat similarity index 100% rename from apparmor.d/groups/apt/cron-apt-compat rename to apparmor.d/groups/cron/cron-apt-compat diff --git a/apparmor.d/groups/apt/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs similarity index 100% rename from apparmor.d/groups/apt/cron-apt-listbugs rename to apparmor.d/groups/cron/cron-apt-listbugs diff --git a/apparmor.d/groups/apt/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions similarity index 100% rename from apparmor.d/groups/apt/cron-apt-show-versions rename to apparmor.d/groups/cron/cron-apt-show-versions diff --git a/apparmor.d/groups/apt/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index similarity index 100% rename from apparmor.d/groups/apt/cron-apt-xapian-index rename to apparmor.d/groups/cron/cron-apt-xapian-index diff --git a/apparmor.d/groups/apt/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude similarity index 100% rename from apparmor.d/groups/apt/cron-aptitude rename to apparmor.d/groups/cron/cron-aptitude diff --git a/apparmor.d/groups/apt/cron-debsums b/apparmor.d/groups/cron/cron-debsums similarity index 100% rename from apparmor.d/groups/apt/cron-debsums rename to apparmor.d/groups/cron/cron-debsums diff --git a/apparmor.d/groups/apt/cron-debtags b/apparmor.d/groups/cron/cron-debtags similarity index 100% rename from apparmor.d/groups/apt/cron-debtags rename to apparmor.d/groups/cron/cron-debtags diff --git a/apparmor.d/groups/apt/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest similarity index 100% rename from apparmor.d/groups/apt/cron-popularity-contest rename to apparmor.d/groups/cron/cron-popularity-contest From 393e339b4807f69cca03a660ed0e5d0147356410 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jun 2022 22:54:26 +0100 Subject: [PATCH 072/165] feat(profiles): apply rule from #51. --- apparmor.d/groups/systemd/systemd-journald | 4 +++- apparmor.d/groups/systemd/systemd-makefs | 2 +- apparmor.d/profiles-m-r/mount-zfs | 4 ++++ apparmor.d/profiles-m-r/run-parts | 1 + apparmor.d/profiles-s-z/sudo | 7 ++++++- apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/udisksd | 1 + 7 files changed, 17 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 0a9df102..26efae51 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -47,14 +47,16 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+sdio:* r, @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, - @{run}/udev/data/+sdio:* r, + @{run}/udev/data/c1:[0-9]* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c4:[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index dd6751c7..2144f299 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-makefs profile systemd-makefs @{exec_path} { include - include + include include capability net_admin, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 00c7c193..c79af21c 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -31,5 +31,9 @@ profile mount-zfs @{exec_path} flags=(complain) { umount /, umount /*/, + @{PROC}/@{pids}/mounts r, + + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f3a048c4..4254d9bb 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -79,6 +79,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, + /etc/network/if-up.d/postfix rPUx, /etc/network/if-up.d/wpasupplicant rPUx, # Motd diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index d1877ade..1460d0f0 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -13,6 +13,7 @@ profile sudo @{exec_path} { include include include + include include include # include @@ -32,9 +33,13 @@ profile sudo @{exec_path} { ptrace (read), - # signal, signal (send) set=(cont,hup) peer=su, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /run/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 7aef7a99..bb1cfc9e 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -29,6 +29,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 74304f9a..552227bc 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -14,6 +14,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, From 56afb90084a47f1bce2f83a4f118df32fe1e9127 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Jun 2022 21:56:09 +0100 Subject: [PATCH 073/165] fix(profiles): fix some abstraction definitions. --- .../abstractions/dbus-session-strict.d/complete | 4 +++- apparmor.d/abstractions/disks-read | 8 +++----- apparmor.d/abstractions/disks-write | 17 +++++------------ 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 8578e7d2..1dc40e4c 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -2,7 +2,9 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) + type=stream + addr="@/tmp/dbus-*", unix (connect, receive, send, accept) type=stream diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 146a45be..97bae8b7 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -86,15 +86,13 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b252:[0-9]* r, - @{run}/udev/data/b253:[0-9]* r, + @{run}/udev/data/b24[0-9]:[0-9]* r, + @{run}/udev/data/b25[0-4]:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/b230:[0-9]* r, # /dev/zvol* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index e72a8906..fd5c7b73 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -68,23 +68,16 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b252:[0-9]* r, - @{run}/udev/data/b253:[0-9]* r, + @{run}/udev/data/b24[0-9]:[0-9]* r, + @{run}/udev/data/b25[0-4]:[0-9]* r, @{run}/udev/data/b259:[0-9]* r, - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/b230:[0-9]* r, # /dev/zvol* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* - - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* @{run}/udev/data/b2:[0-9]* r, # for /dev/fd* + @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** From 20fd8376bdfaf438212a0d3eafbe0ab61a6a6db5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Jun 2022 22:49:32 +0100 Subject: [PATCH 074/165] feat(profiles): Rewrite and largelly restrict the libvirtd profile. --- apparmor.d/groups/virt/libvirtd | 259 ++++++++++++++++++++++++-------- 1 file changed, 193 insertions(+), 66 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 38c8540b..688ca76a 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -1,16 +1,26 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Based on Libvirt Apparmor profile, it is largelly restricted from th +# As upstream profile mostly focus on confining the guests. Not libvirt itself. +# It uses a lot of profiles provided by apparmor.d +# Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in + abi , include -@{exec_path} = /{usr/,}sbin/libvirtd /{usr/,}bin/libvirtd +@{exec_path} = /{usr/,}{s,}bin/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include include + include + include + include + include capability audit_write, capability bpf, @@ -34,6 +44,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_pacct, capability sys_ptrace, + capability sys_rawio, capability sys_resource, network inet stream, @@ -44,18 +55,15 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - mount options=(rw,rslave) -> /, - mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, - umount /{var/,}run/libvirt/qemu/*.dev/, + mount options=(rw, rslave) -> /, + mount options=(rw, nosuid) -> @{run}/libvirt/qemu/*.dev/, + umount @{run}/libvirt/qemu/*.dev/, - # libvirt provides any mounts under /dev to qemu namespaces - mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, - mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, - - # for --p2p migrations - unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + # Libvirt provides any mounts under /dev to qemu namespaces + mount options=(rw, move) /dev/ -> @{run}/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/** -> @{run}/libvirt/qemu/*{,/}, + mount options=(rw, move) @{run}/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) @{run}/libvirt/qemu/*{,/} -> /dev/**, ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=@{profile_name}, @@ -63,79 +71,198 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=libvirt-*, ptrace (read,trace) peer=virt-manager, + signal (read,send) peer=libvirt-*, + signal (read,send) peer=unconfined, signal (send) peer=dnsmasq, - signal (read, send) peer=libvirt-*, - signal (send) set=(kill, term) peer=unconfined, - - # For communication/control to qemu-bridge-helper - unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + signal (send) set=(kill, term) peer=virtiofsd, signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, - # allow connect with openGraphicsFD, direction reversed in newer versions unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}), - # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), - # required if guests run unconfined seclabel type='none' but libvirtd is confined - signal (read, send) peer=unconfined, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /{usr/,}bin/* rPUx, - /{usr/,}sbin/* rPUx, - /{usr/,}{,s}bin/virtlogd rPx, - /{usr/,}lib/udev/scsi_id rPUx, - /usr/{lib,lib64}/xen-common/bin/xen-toolstack rPUx, - /usr/{lib,lib64}/xen/bin/* rUx, - @{libexec}/xen-*/bin/libxl-save-helper rPUx, - @{libexec}/xen-*/bin/pygrub rPUx, - /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, - /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rPUx, - - # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to - # read and run an ebtables script. - /var/lib/libvirt/virtd* rix, - - # force the use of virt-aa-helper - audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* rPUx, - /usr/lib/libvirt/libvirt_parthelper ix, - /usr/lib/libvirt/libvirt_iohelper ix, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles + # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process + @{exec_path} mr, + + @{libexec}/libvirt/libvirt_iohelper rix, + @{libexec}/libvirt/libvirt_parthelper rix, + + @{libexec}/xen-*/bin/libxl-save-helper rPUx, + @{libexec}/xen-*/bin/pygrub rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP + /{usr/,}lib{,64}/xen-common/bin/xen-toolstack rPUx, + /{usr/,}lib{,64}/xen/bin/* rPUx, + /{usr/,}lib/udev/scsi_id rPUx, + + /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + + /{usr/,}{s,}bin/dmidecode rPx, + /{usr/,}{s,}bin/dnsmasq rPx, + /{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP + /{usr/,}{s,}bin/virtlogd rPX, + /{usr/,}bin/lvm rUx, + /{usr/,}bin/mdevctl rPx, + /{usr/,}bin/swtpm rPx, + /{usr/,}bin/swtpm_ioctl rPx, + /{usr/,}bin/swtpm_setup rPx, + /{usr/,}bin/udevadm rPx, + + /{usr/,}{s,}bin/xtables-nft-multi rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/tc rix, + /{usr/,}bin/xmllint rix, + /{usr/,}bin/qemu-system* rUx, # TODO: Integration with virt-aa-helper + /{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper + /{usr/,}lib/libvirt/virt-aa-helper rPx, + + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + /var/lib/libvirt/virtd* rix, + + /usr/share/edk2-ovmf/{,**} r, + /usr/share/hwdata/* r, + /usr/share/libvirt/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/qemu/{,**} r, + + /etc/libvirt/{,**} rw, + /etc/mdevctl.d/{,**} r, + /etc/xml/catalog r, + + /var/cache/libvirt/{,**} rw, + /var/lib/libvirt/{,**} rwk, + /var/log/swtpm/libvirt/{,**} rw, + + # User VM images and share + @{user_share_dirs}/ r, + @{user_share_dirs}/libvirt/{,**} rwk, + @{HOME}/@{XDG_VM_DIR}/{,**} rwk, + @{MOUNTS}/@{XDG_VM_DIR}/{,**} rwk, + @{HOME}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, + @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, + + @{run}/libvirt/ rw, + @{run}/libvirt/** rwk, + @{run}/libvirtd.pid wk, + @{run}/lock/LCK.._pts_[0-9]* rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/utmp rk, + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:id r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card* r, # for sound + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/c1:[0-9]* r, + @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c2[0-9]*:[0-9]* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/n[0-9]* r, + + @{sys}/bus/[a-z]*/devices/ r, + @{sys}/class/[a-z]*/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/{class,revision,subsystem_vendor,subsystem_device} r, + @{sys}/devices/pci[0-9]*/**/{config,numa_node,device,vendor} r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r, + @{sys}/devices/pci[0-9]*/**/mdev_supported_types/*/create w, + @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, + @{sys}/devices/pci[0-9]*/**/remove w, + @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, + + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/cpu/present/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/ r, + @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r, + @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/{,**} rw, + + @{sys}/kernel/iommu_groups/ r, + @{sys}/kernel/iommu_groups/[0-9]*/devices/ r, + @{sys}/kernel/mm/hugepages/{,**} r, + @{sys}/kernel/security/apparmor/profiles r, + + @{sys}/module/kvm_intel/parameters/nested r, + + @{sys}/fs/cgroup/ r, + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/machine.slice/* r, + @{sys}/fs/cgroup/machine.slice/machine-qemu*.scope/{,**} rw, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/psched r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/sched r, + @{PROC}/@{pids}/task/@{tid}/schedstat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/devices r, + @{PROC}/mtrr w, + @{PROC}/sys/net/ipv{4,6}/** rw, + + /dev/dri/ r, # include ? + /dev/hugepages/{,**} w, + /dev/kvm r, + /dev/mapper/ r, + /dev/mapper/control rw, + /dev/net/tun rw, + /dev/shm/libvirt/{,**} rw, + /dev/vfio/[0-9]* rwk, + /dev/vhost-net rw, + + # Force the use of virt-aa-helper + audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny @{sys}/kernel/security/apparmor/features rwxl, + audit deny @{sys}/kernel/security/apparmor/matching rwxl, + audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile qemu_bridge_helper { include - capability setuid, + capability net_admin, capability setgid, capability setpcap, - capability net_admin, + capability setuid, network inet stream, # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=libvirtd), - signal (receive) set=("term") peer=libvirtd, + signal (receive) set=(term) peer=libvirtd, + + /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + + /etc/qemu/{,**} r, + + owner @{PROC}/@{pids}/status r, /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } include if exists From e942c057bdcba1dfec1475d28f26a772b7245134 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jun 2022 00:08:51 +0100 Subject: [PATCH 075/165] feat(profiles): move netstat --- apparmor.d/{profiles-a-f/bin.netstat => profiles-m-r/netstat} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f/bin.netstat => profiles-m-r/netstat} (100%) diff --git a/apparmor.d/profiles-a-f/bin.netstat b/apparmor.d/profiles-m-r/netstat similarity index 100% rename from apparmor.d/profiles-a-f/bin.netstat rename to apparmor.d/profiles-m-r/netstat From fcbe764ccf2ee239b743453ab3f36635a767edd0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jun 2022 00:16:05 +0100 Subject: [PATCH 076/165] feat(profiles): general update. --- apparmor.d/groups/apt/apt-config | 2 + apparmor.d/groups/apt/apt-key | 43 ++++++++++--------- apparmor.d/groups/apt/dpkg-preconfigure | 2 + apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/bus/dbus-daemon-launch-helper | 6 ++- apparmor.d/groups/cron/cron-apport | 1 + apparmor.d/groups/freedesktop/accounts-daemon | 19 ++------ apparmor.d/groups/freedesktop/xdg-settings | 3 ++ apparmor.d/groups/gnome/gdm-runtime-config | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gnome-shell | 7 ++- apparmor.d/groups/gnome/goa-daemon | 3 +- apparmor.d/groups/gnome/seahorse | 17 +++++++- .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 12 +++++- apparmor.d/groups/gvfs/gvfsd-network | 1 + apparmor.d/groups/gvfs/gvfsd-smb-browse | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + .../groups/systemd/systemd-vconsole-setup | 1 + apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- .../groups/ubuntu/list-oem-metapackages | 4 +- apparmor.d/groups/ubuntu/packagekitd | 2 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 12 ++++-- apparmor.d/groups/ubuntu/ubuntu-report | 2 +- apparmor.d/groups/ubuntu/update-manager | 19 +++++--- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/blueman-mechanism | 1 - .../profiles-a-f/blueman-rfcomm-watcher | 1 - apparmor.d/profiles-a-f/boltd | 1 + apparmor.d/profiles-a-f/etckeeper | 4 +- apparmor.d/profiles-a-f/evince | 6 +-- apparmor.d/profiles-a-f/fprintd | 5 +++ apparmor.d/profiles-a-f/freefall | 8 ++-- apparmor.d/profiles-m-r/rngd | 6 ++- apparmor.d/profiles-m-r/run-parts | 4 ++ apparmor.d/profiles-s-z/system-config-printer | 21 +++++++++ 36 files changed, 154 insertions(+), 74 deletions(-) diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 531b1f70..256d0883 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,6 +17,8 @@ profile apt-config @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, + owner /tmp/tmp*/apt.conf r, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2ba7e898..f0f79875 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,21 +15,21 @@ profile apt-key @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/find rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/find rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, /{usr/,}bin/sort rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + /{usr/,}bin/touch rix, /{usr/,}bin/tr rix, /{usr/,}bin/uniq rix, /{usr/,}bin/wc rix, @@ -73,6 +74,11 @@ profile apt-key @{exec_path} { /{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-connect-agent rix, + /usr/share/gnupg/sks-keyservers.netCA.pem r, + + /etc/hosts r, + /etc/inputrc r, + /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw, /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, /etc/apt/trusted.gpg{,~,.tmp} rw, @@ -86,18 +92,13 @@ profile apt-key @{exec_path} { owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /usr/share/gnupg/sks-keyservers.netCA.pem r, - - /etc/hosts r, - /etc/inputrc r, - - # File_inherit - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, - } include if exists diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 586947e8..f64de582 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -38,6 +38,8 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{run}/user/@{uid}/pk-debconf-socket rw, + # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fbc8821e..14c4a8a2 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index f9a2d8e2..e0f71980 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -18,10 +18,14 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, - /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, + /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/software-properties/software-properties-dbus rPx, /usr/share/dbus-1/{,**} r, + /etc/dbus-1/{,**} r, + owner @{PROC}/@{pid}/oom_score_adj rw, include if exists diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 387fa938..abf16812 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -14,6 +14,7 @@ profile cron-apport @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, / r, /var/crash/ r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 8c49c484..6c761146 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,18 +23,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}}, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member={CheckAuthorization,Changed}, - dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,GetAll}, - - dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.Accounts.User - member={Changed,SetLanguage,SetInputSources}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, @@ -44,14 +39,6 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { member={RequestName,GetConnectionUnixUser} peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers}, - - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus bind bus=system name=org.freedesktop.Accounts, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 8eb6c1f1..c2ea3fc3 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -35,11 +35,14 @@ profile xdg-settings @{exec_path} { /usr/share/terminfo/x/xterm-256color r, /usr/share/applications/ r, + /usr/share/ubuntu/applications/ r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/applications/{,*} r, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index e9821c97..eb15b149 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -12,7 +12,7 @@ profile gdm-runtime-config @{exec_path} { @{exec_path} mr, - @{run}/gdm/ r, + @{run}/gdm/ rw, @{run}/gdm/custom.conf* rw, include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e4120665..e3655eb2 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fd6fbd6a..efbccf0f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -110,6 +110,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system + path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + member=BeginAuthentication, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, @@ -234,7 +239,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, - @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 2fb705b0..602cee7a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -37,7 +37,8 @@ profile goa-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_config_dirs}/goa-1.0/accounts.conf r, + owner @{user_config_dirs}/goa-1.0/ rw, + owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, include if exists } diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 7e120cf6..811fbf81 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,22 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include + include + include include include include include + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew} + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /{usr/,}bin/gpgconf rPx, @@ -21,8 +32,10 @@ profile seahorse @{exec_path} { /{usr/,}bin/gpgsm rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Seahorse and SSH keys + /usr/share/ubuntu/applications/ r, + + /var/lib/snapd/desktop/icons/ r, + owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index e09eb006..19f28dcb 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -56,9 +56,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{PROC}/@{pid}/fdinfo/[0-9]* r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/* r, + @{PROC}/@{pids}/net/* r, @{PROC}/ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 2e9861c1..c7e81148 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,16 @@ include @{exec_path} += @{libexec}/gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index c57d71de..5b6c9ab7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index b289ed55..d9488b3d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include + include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 52a4981c..31ecf983 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, + @{PROC}/driver/nvidia/gpus/ r, /dev/ rw, /dev/** rwk, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 06d46ab6..585b841c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -13,6 +13,7 @@ profile systemd-vconsole-setup @{exec_path} { include include + capability dac_override, capability sys_ptrace, capability sys_resource, capability sys_tty_config, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5eff6c45..5d581cdd 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -14,7 +14,7 @@ profile apt-esm-hook @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index d17f809c..42d9589e 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,8 +15,8 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/ischroot rix, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index 56805647..ffa188b9 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -53,7 +53,7 @@ profile packagekitd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/dpkg/tupletable r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index e47fbf14..ae1a42b7 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -12,10 +12,14 @@ profile release-upgrade-motd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/date rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/stat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/date rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/do-release-upgrade rPx, + + /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 51405517..ed2afd88 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -14,7 +14,7 @@ profile ubuntu-report @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, owner @{user_cache_dirs}/ubuntu-report/{,*} r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 3a947ef9..a1dab06b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -16,6 +16,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -25,9 +26,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} - interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}} + interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll}, dbus send bus=system path=/org/freedesktop/DBus @@ -46,9 +48,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/hwe-support-status rPx, /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, @@ -56,12 +62,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/uname rix, /{usr/,}lib/apt/methods/http{,s} rPx, - /usr/share/applications/{,**} r, /usr/share/distro-info/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/pixmaps/{,*} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, @@ -83,6 +88,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/*.ref w, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mountinfo r, + + /dev/ptmx rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 450b1ca7..dbf9eba3 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { /{usr/,}bin/ischroot rix, /{usr/,}bin/nice rix, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 3bcfb527..b3dd451d 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -23,7 +23,6 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, /var/lib/blueman/network.state rw, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index eaa7512b..3f00bf98 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -12,7 +12,6 @@ profile blueman-rfcomm-watcher @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 2eed5450..3501ad8e 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -32,6 +32,7 @@ profile boltd @{exec_path} { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{authorized,generation} r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{uevent,unique_id} r, + @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 1c98015f..631f3a22 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -59,7 +59,9 @@ profile etckeeper @{exec_path} { @{run}/resolvconf/resolv.conf r, - /tmp/etckeeper-git* rw, + owner /tmp/etckeeper-git* rw, + + owner @{PROC}/@{pid}/fd/ r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 6f6b9e29..0190d419 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced +@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced profile evince @{exec_path} { include include @@ -33,9 +33,9 @@ profile evince @{exec_path} { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, + owner /tmp/*.pdf r, owner /tmp/evince-*/{,**} rw, - /tmp/gtkprint* rw, - /tmp/*.pdf r, + owner /tmp/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8d32411c..215f7ef6 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -11,6 +11,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -41,8 +42,12 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /etc/fprintd.conf r, + /var/lib/fprint/{,**} rw, + @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, + @{sys}/class/hidraw/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 29071d5c..61a9c60b 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -10,18 +10,18 @@ include profile freefall @{exec_path} { include - capability sys_nice, capability ipc_lock, capability mknod, + capability sys_nice, @{exec_path} mr, + @{sys}/devices/**/unload_heads r, + @{sys}/class/leds/**/brightness r, + /dev/freefall rw, /dev/sd[a-z]* rk, /dev/sd[a-z]*[0-9]* rk, - @{sys}/devices/**/unload_heads r, - @{sys}/class/leds/**/brightness r, - include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 4fef8e50..163d2a20 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -14,18 +14,20 @@ profile rngd @{exec_path} { @{exec_path} mr, + capability dac_read_search, capability sys_admin, capability sys_nice, - capability dac_read_search, network netlink raw, - /etc/opensc.conf r, /etc/conf.d/rngd r, + /etc/opensc.conf r, /etc/machine-id r, /var/lib/dbus/machine-id r, + @{sys}/devices/virtual/misc/hw_random/rng_available r, + @{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/write_wakeup_threshold rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 4254d9bb..ca903cf7 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -96,6 +96,7 @@ profile run-parts @{exec_path} { /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postrm.d/ r, /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, @@ -139,6 +140,8 @@ profile run-parts @{exec_path} { include include + capability sys_module, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, @@ -180,6 +183,7 @@ profile run-parts @{exec_path} { /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, + @{run}/reboot-required w, @{run}/reboot-required.pkgs w, @{PROC}/devices r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 0dfade79..bbcb943e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,6 +11,8 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include + include + include include include include @@ -22,6 +24,19 @@ profile system-config-printer @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + network netlink raw, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mrix, @@ -33,15 +48,21 @@ profile system-config-printer @{exec_path} flags=(complain) { /usr/share/cups/data/testprint r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/system-config-printer/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/cups/cupsd.conf r, /etc/cupshelpers/preferreddrivers.xml r, /etc/fstab r, /etc/papersize r, + /var/lib/snapd/desktop/icons/ r, + owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, + owner @{run}/@{uid}/gvfsd/socket-* rw, + @{run}/cups/cups.sock rw, + owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, From c04363c1b60e7ce803f619b284d23dd55b00e42b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jun 2022 00:18:26 +0100 Subject: [PATCH 077/165] feat(profiles): reorganise a few profiles. --- apparmor.d/groups/freedesktop/xdg-mime | 59 +++++++++--------- apparmor.d/profiles-a-f/adduser | 32 ++++------ apparmor.d/profiles-a-f/blueman | 84 +++++++++++--------------- apparmor.d/profiles-a-f/bluetoothd | 22 +++---- apparmor.d/profiles-a-f/e2fsck | 23 ++++--- apparmor.d/profiles-m-r/netstat | 50 +++++++-------- 6 files changed, 125 insertions(+), 145 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 1fb0f326..bbc1eee6 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,24 +15,39 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cut rix, /{usr/,}bin/file rix, + /{usr/,}bin/head rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sed rix, /{usr/,}bin/tr rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/gio rPx, /{usr/,}bin/mimetype rPx, /{usr/,}bin/xprop rPx, /usr/share/terminfo/x/xterm-256color r, + /usr/share/ubuntu/applications/ r, + + /etc/gnome/defaults.list r, + + owner @{HOME}/.Xauthority r, + owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{run}/user/@{uid}/ r, + + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, + + /dev/dri/card[0-9]* rw, + /dev/tty rw, # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -44,26 +60,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { deny /{usr/,}bin/dbus-launch rx, deny /{usr/,}bin/dbus-send rx, - owner @{user_config_dirs}/mimeapps.list{,.new} rw, - - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{HOME}/.Xauthority r, - - owner @{run}/user/@{uid}/ r, - - # For shell pwd - owner @{HOME}/ r, - - @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, - - # file_inherit - @{MOUNTS}/** rw, - /dev/dri/card[0-9]* rw, - - /dev/tty rw, - profile dbus { include include @@ -72,10 +68,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-send mr, /{usr/,}bin/dbus-daemon rPx, - # for dbus-launch + @{HOME}/.Xauthority r, owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, - @{HOME}/.Xauthority r, } include if exists diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index ef8b465a..1ea91478 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -10,23 +10,14 @@ include profile adduser @{exec_path} { include include - include include + include - # To create a user home dir and give it proper permissions: - # mkdir("/home/user", 0755) = 0 - # chown("/home/user", 1001, 1001) = 0 - # chmod("/home/user", 0755) = 0 capability chown, - capability fowner, - - # To set the set-group-ID bit for the user home dir (SETGID_HOME=yes). - capability fsetid, - - # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different - # owner. - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, @{exec_path} r, /{usr/,}bin/perl r, @@ -35,25 +26,24 @@ profile adduser @{exec_path} { /{usr/,}bin/find rix, /{usr/,}bin/rm rix, + /{usr/,}{s,}bin/groupadd rPx, + /{usr/,}{s,}bin/groupdel rPx, /{usr/,}{s,}bin/useradd rPx, /{usr/,}{s,}bin/userdel rPx, - /{usr/,}{s,}bin/groupdel rPx, - /{usr/,}{s,}bin/groupadd rPx, /{usr/,}{s,}bin/usermod rPx, - /{usr/,}bin/passwd rPx, - /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/chfn rPx, - /{usr/,}bin/chage rPx, + /{usr/,}bin/chage rPx, + /{usr/,}bin/chfn rPx, + /{usr/,}bin/gpasswd rPx, + /{usr/,}bin/passwd rPx, /etc/{group,passwd,shadow} r, - /etc/adduser.conf r, + /etc/skel/{,.*} r, # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, @{HOME}/.* w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index f0e4c92f..362666f7 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,15 +10,15 @@ include @{exec_path} = /{usr/,}bin/blueman-* profile blueman @{exec_path} flags=(attach_disconnected) { include + include include - include - include include - include + include include + include + include include include - include network inet stream, network inet6 stream, @@ -27,17 +28,25 @@ profile blueman @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=gjs-console, @{exec_path} mrix, - /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/blueman-tray rPx, - /{usr/,}bin/ r, - /{usr/,}bin/{b,d}ash rix, + /{usr/,}bin/{b,d}ash rix, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/blueman-tray rPx, + /{usr/,}bin/xdg-open rCx -> open, /usr/share/blueman/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /var/lib/blueman/network.state r, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/ r, + owner @{HOME}/bluetooth*/* rw, + owner @{user_cache_dirs}/blueman-tray-[0-9]* rw, owner @{user_cache_dirs}/blueman-services-[0-9]* rw, owner @{user_cache_dirs}/blueman-adapters-[0-9]* rw, @@ -49,36 +58,16 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{HOME}/ r, - owner @{HOME}/bluetooth*/ r, - owner @{HOME}/bluetooth*/* rw, - - # For sending a note (disabled since the feature doesn't seem to work) - #owner /tmp/* rw, - #owner /var/tmp/* rw, - #owner /tmp/note*.vnt rw, - - /var/lib/blueman/network.state r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/cmdline r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /dev/tty rw, - - /dev/rfkill r, - - /dev/shm/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - - # file_inherit /dev/dri/card[0-9]* rw, + /dev/rfkill r, + /dev/shm/ r, + /dev/tty rw, profile open { include @@ -87,30 +76,29 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/file rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/mimetype rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/uname rix, /{usr/,}bin/xprop rix, - /{usr/,}bin/file rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/mimetype rix, - - /usr/share/perl5/** r, - /etc/magic r, - - owner @{HOME}/ r, - owner @{HOME}/bluetooth*/* r, - - owner @{run}/user/@{uid}/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/spacefm rPx, - # file_inherit + /usr/share/perl5/** r, + + /etc/magic r, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/* r, owner @{HOME}/.xsession-errors w, + owner @{run}/user/@{uid}/ r, + } include if exists diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 740731c5..26316237 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2021 Mikhail Morfikov +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,20 +28,19 @@ profile bluetoothd @{exec_path} { /etc/bluetooth/{,*.conf} r, + /var/lib/bluetooth/{,**} rw, + + @{run}/sdp rw, + @{run}/udev/data/+hid:* r, + + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, + @{sys}/devices/platform/**/rfkill/**/name r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + /dev/uhid rw, /dev/uinput rw, /dev/rfkill rw, /dev/hidraw[0-9]* rw, - @{run}/sdp rw, - - @{run}/udev/data/+hid:* r, - - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/platform/**/rfkill/**/name r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, - - /var/lib/bluetooth/{,**} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index e7c2cfb5..0932351b 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,19 +13,16 @@ profile e2fsck @{exec_path} { include include + capability dac_read_search, + capability sys_rawio, + @{exec_path} mr, # To check for badblocks /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/badblocks rPx, - owner @{run}/blkid/blkid.tab{,-*} rw, - owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - - @{PROC}/swaps r, - owner @{PROC}/@{pid}/mounts r, - - @{sys}/devices/**/power_supply/AC/online r, + /usr/share/file/misc/magic.mgc r, # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, @@ -32,5 +30,14 @@ profile e2fsck @{exec_path} { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + @{run}/blkid/ rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + + @{sys}/devices/**/power_supply/AC/online r, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index a4cc8594..a65591fb 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -1,12 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2002-2005 Novell/SUSE -# 2017 Christian Boltz -# 2018-2021 Mikhail Morfikov +# Copyright (C) 2017 Christian Boltz +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Evolution, amongst other things, calls this program. I didn't want to -# give evolution access to significant chunks of /proc - abi , include @@ -18,32 +16,34 @@ profile netstat @{exec_path} { include capability dac_read_search, - capability syslog, capability sys_ptrace, + capability syslog, ptrace (trace,read), @{exec_path} rmix, /etc/networks r, - @{PROC} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/net r, - @{PROC}/net/* r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/net/netstat r, - @{PROC}/@{pid}/net/raw r, - @{PROC}/@{pid}/net/snmp r, - @{PROC}/@{pid}/net/raw6 r, - @{PROC}/@{pid}/net/tcp r, - @{PROC}/@{pid}/net/tcp6 r, - @{PROC}/@{pid}/net/udp r, - @{PROC}/@{pid}/net/udp6 r, - @{PROC}/@{pid}/net/udplite r, - @{PROC}/@{pid}/net/udplite6 r, - @{PROC}/@{pid}/net/unix r, - # For "netstat -i" - @{PROC}/@{pid}/net/dev r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/netstat r, + @{PROC}/@{pids}/net/raw r, + @{PROC}/@{pids}/net/raw6 r, + @{PROC}/@{pids}/net/snmp r, + @{PROC}/@{pids}/net/tcp r, + @{PROC}/@{pids}/net/tcp6 r, + @{PROC}/@{pids}/net/udp r, + @{PROC}/@{pids}/net/udp6 r, + @{PROC}/@{pids}/net/udplite r, + @{PROC}/@{pids}/net/udplite6 r, + @{PROC}/@{pids}/net/unix r, + @{PROC}/net r, + @{PROC}/net/* r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/attr/current r, + + include if exists } From e69182e1dfa4abd98f905ba2207836a58b78f25b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 16:40:48 +0100 Subject: [PATCH 078/165] feat(profiles): general update. --- .../freedesktop/update-desktop-database | 8 +++---- .../groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gnome-calendar | 3 ++- apparmor.d/groups/gnome/gnome-control-center | 4 ++++ apparmor.d/groups/network/tailscaled | 23 ++++++++++++++++++- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/flatpak-system-helper | 4 ++++ apparmor.d/profiles-m-r/nvtop | 2 ++ 9 files changed, 41 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index b994cc28..608595e6 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r, - /var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r, - /var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r, + /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r, + /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w, /var/lib/snapd/desktop/applications/{,**/} r, /var/lib/snapd/desktop/applications/**.desktop r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index fd496df8..a7113a76 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -18,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, + owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e3655eb2..5247d407 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -74,6 +74,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, + @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7274e317..f242da61 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,8 +23,9 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, - /usr/share/libgweather/Locations.xml r, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/libgweather/Locations.xml r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 09233126..368061b1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -103,6 +103,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /snap/*/[0-9]*/*.png r, /usr/share/backgrounds/{,**} r, + /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, @@ -123,8 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/icons/ r, + /var/cache/samba/ rw, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 9f7d73f9..36bf1d12 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -15,6 +15,7 @@ profile tailscaled @{exec_path} { capability dac_read_search, capability mknod, capability net_admin, + capability net_raw, capability sys_ptrace, network inet dgram, @@ -30,10 +31,14 @@ profile tailscaled @{exec_path} { /{usr/,}bin/ip rix, /{usr/,}{s,}bin/xtables-nft-multi rix, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/iproute2/rt_tables r, + /etc/resolv.*.conf rw, + /etc/resolv.conf rw, + /etc/resolv.conf.*.tmp rw, + owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, @@ -54,5 +59,21 @@ profile tailscaled @{exec_path} { /dev/net/tun rw, + profile systemctl { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /dev/net/tun rw, + + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 688ca76a..d6770ee0 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -225,7 +225,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, - /dev/dri/ r, # include ? + /dev/dri/ r, /dev/hugepages/{,**} w, /dev/kvm r, /dev/mapper/ r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 3c8f6a0e..11a35cab 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -49,9 +49,13 @@ profile flatpak-system-helper @{exec_path} { /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent rix, + owner /tmp/ostree-gpg-*/ r, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{PROC}/@{uid}/fd/ r, + } include if exists diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 9640ce9a..3b35e019 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,6 +10,7 @@ include profile nvtop @{exec_path} { include include + include include include @@ -25,6 +26,7 @@ profile nvtop @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, include if exists From b3a28da5e54528a7608af8b0425588ff3be97346 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 16:41:41 +0100 Subject: [PATCH 079/165] fix(profiles): do not confine udevd by default as it may break the boot. --- systemd/systemd-udevd.service | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 systemd/systemd-udevd.service diff --git a/systemd/systemd-udevd.service b/systemd/systemd-udevd.service deleted file mode 100644 index 97038f8d..00000000 --- a/systemd/systemd-udevd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service systemd-sysusers.service systemd-hwdb-update.service \ No newline at end of file From e087349662a49be29e8c755ce8d4666f0b9951d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 17:32:12 +0100 Subject: [PATCH 080/165] feat(profiles): define more xdg variables. --- apparmor.d/abstractions/user-download-strict | 11 +++---- apparmor.d/abstractions/user-read | 31 ++++++++++--------- apparmor.d/abstractions/user-write.d/complete | 19 +++++------- apparmor.d/groups/apps/atom | 4 +-- apparmor.d/groups/apps/calibre | 8 ++--- apparmor.d/groups/apps/code | 6 ++-- apparmor.d/groups/gnome/gnome-music | 3 +- .../groups/gnome/gnome-photos-thumbnailer | 3 +- apparmor.d/groups/gnome/gnome-shell | 3 +- apparmor.d/groups/gpg/gpg | 4 +-- apparmor.d/groups/gpg/gpg-agent | 12 +++---- apparmor.d/groups/gpg/gpgconf | 2 +- apparmor.d/groups/gpg/gpgsm | 2 +- apparmor.d/groups/ssh/ssh | 4 +-- apparmor.d/groups/ssh/ssh-agent | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/virt/libvirtd | 6 ++-- apparmor.d/profiles-a-f/aurpublish | 6 ++-- apparmor.d/profiles-a-f/browserpass | 2 +- apparmor.d/profiles-g-l/git | 8 ++--- apparmor.d/profiles-g-l/gitstatusd | 4 +-- apparmor.d/profiles-g-l/hugo | 4 +-- apparmor.d/profiles-g-l/jdownloader-install | 5 ++- apparmor.d/profiles-m-r/man | 3 +- apparmor.d/profiles-m-r/minitube | 2 +- apparmor.d/profiles-m-r/ntfscp | 6 ++-- apparmor.d/profiles-m-r/pass | 8 ++--- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/qbittorrent | 8 ++--- apparmor.d/profiles-m-r/qbittorrent-nox | 8 ++--- apparmor.d/profiles-s-z/strawberry | 9 ++---- apparmor.d/profiles-s-z/strawberry-tagreader | 6 ++-- apparmor.d/profiles-s-z/transmission-qt | 8 ++--- apparmor.d/profiles-s-z/virt-manager | 3 +- apparmor.d/tunables/xdg-user-dirs | 17 ++++++++-- 35 files changed, 103 insertions(+), 128 deletions(-) diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 935bbbb0..0f4d183e 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -4,14 +4,11 @@ abi , - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, - - owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + + owner @{user_download_dirs}/ r, + owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, # For SSHFS mounts (without owner as files in such mounts can be owned by different users) @{HOME}/mount-sshfs/ r, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index cc648448..911cc288 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,20 +2,23 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, +# Give read access on all defined user directories. It should only be used if +# access to ALL folders is required. - owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 6775f9dc..21c2fdc8 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -2,17 +2,12 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - - owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + + owner @{user_books_dirs}/{,**} rwl, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_music_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + owner @{user_projects_dirs}/{,**} rwl, + owner @{user_videos_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index a8933715..cea565a1 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -88,8 +88,8 @@ profile atom @{exec_path} { / r, @{MOUNTS}/ r, owner @{MOUNTS}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_config_dirs}/git/config r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index f4082f1e..08767209 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -75,12 +75,8 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR} rw, - owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, - - owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**, + owner @{user_books_dirs} rw, + owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index f941d070..af1b4d05 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -64,10 +64,8 @@ profile code @{exec_path} { owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, # Git dirs - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, /etc/fstab r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 3fbaa6b4..46e8c9c6 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -38,8 +38,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r, + owner @{user_music_dirs}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index b2e371b9..5a4f9796 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -15,8 +15,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index efbccf0f..cb04fd5d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,10 +170,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{user_music_dirs}/**/*.jpg r, + owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/monitors.xml{,~} rwl, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 9955daf5..e7b4d13f 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -30,8 +30,8 @@ profile gpg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/ rw, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 00c33346..4bf35cbd 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -36,12 +36,12 @@ profile gpg-agent @{exec_path} { owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, + owner @{user_projects_dirs}/**/{.,}gnupg/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index d943273b..e5ba0a3b 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -24,7 +24,7 @@ profile gpgconf @{exec_path} { /{usr/,}bin/pinentry-* rPx, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 78a371d4..9792071b 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -16,7 +16,7 @@ profile gpgsm @{exec_path} { deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 76eeedf8..4788e190 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -30,8 +30,8 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, + owner @{user_projects_dirs}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/config r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 0b9db0ff..e5e75be7 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -29,7 +29,7 @@ profile ssh-agent @{exec_path} { # SSH keys owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/ssh/{,*} r, # When started via systemd @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index ab522ceb..ff37f0ca 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -77,7 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/ssh/sshd_config.d/{,*} r, # For scp - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, + owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index d6770ee0..bda5c0c2 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -141,10 +141,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # User VM images and share @{user_share_dirs}/ r, @{user_share_dirs}/libvirt/{,**} rwk, - @{HOME}/@{XDG_VM_DIR}/{,**} rwk, - @{MOUNTS}/@{XDG_VM_DIR}/{,**} rwk, - @{HOME}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, - @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, + @{user_vm_dirs}/{,**} rwk, + @{user_publicshare_dirs}/{,**} rw, @{run}/libvirt/ rw, @{run}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index fd643e75..879199f5 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -21,9 +21,9 @@ profile aurpublish @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/wc rix, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.SRCINFO rw, + owner @{user_projects_dirs}/**/PKGBUILD r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 1bf18858..bbab7719 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -34,7 +34,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { deny network inet, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw, - deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, + deny owner @{user_download_dirs}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny /dev/dri/* rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 053d00dd..ac9ffba1 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -80,8 +80,8 @@ profile git @{exec_path} { /etc/mailname r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ rw, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, @@ -167,8 +167,8 @@ profile git @{exec_path} { /etc/vimrc r, /etc/vim/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/[0-9]* rw, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.git/[0-9]* rw, owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/fzf.vim r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index beb5c439..dad61dd6 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -12,8 +12,8 @@ profile gitstatusd @{exec_path} { @{exec_path} mr, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ba25cd0c..7482a9f0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -22,8 +22,8 @@ profile hugo @{exec_path} { /etc/mime.types r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/{,**} rw, + owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner /tmp/hugo_cache/ rw, owner /tmp/hugo_cache/**/ rw, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index 79b1478d..9bf9a3b2 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -6,9 +6,8 @@ abi , include -@{JD_INSTALLDIR} = /home/*/jd2 -@{JD_SH_PATH} = /home/*/@{XDG_DOWNLOAD_DIR} -@{JD_SH_PATH} += /home/*/@{XDG_DESKTOP_DIR} +@{JD_INSTALLDIR} = @{HOME}/jd2 +@{JD_SH_PATH} = @{user_download_dirs} @{HOME}/@{XDG_DESKTOP_DIR} @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh profile jdownloader-install @{exec_path} { diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 1b14475a..e32ab8c7 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -97,10 +97,9 @@ profile man_filter { # do is feed data to the invoking man process. /usr/** r, owner @{HOME}/@{XDG_DATA_HOME}/** r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, + owner @{user_projects_dirs}/** r, owner @{user_cache_dirs}/** r, owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, /var/cache/man/** w, } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 2f19be1e..5701e0c9 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -41,7 +41,7 @@ profile minitube @{exec_path} { owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, # Snapshot - owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw, + owner @{user_pictures_dirs}/*.png rw, owner @{HOME}/vlcsnap-.png rw, /usr/share/minitube/{,**} r, diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index ac6197c3..a10e17f2 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -17,10 +17,10 @@ profile ntfscp @{exec_path} { # For writing files owned by users other than root, since ntfscp has to be started as root. capability dac_read_search, - @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**, @{HOME}/@{XDG_DESKTOP_DIR}/ r, - @{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{user_download_dirs}/ r, + @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 8455fa74..b701b02b 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -56,7 +56,7 @@ profile pass @{exec_path} { /usr/share/terminfo/x/xterm-256color r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @@ -84,7 +84,7 @@ profile pass @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.password-store/ r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r, + owner @{user_projects_dirs}/**/*-store/ r, owner @{user_config_dirs}/password-store/ r, owner @{user_cache_dirs}/vim/{,**} rw, @@ -118,8 +118,8 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/ rw, owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**, + owner @{user_projects_dirs}/**/*-store/ rw, + owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/password-store/ rw, owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 55418bae..c02d9d37 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -27,7 +27,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /tmp/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 2eab25a4..051776b5 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -7,8 +7,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/torrent - @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include @@ -71,10 +69,8 @@ profile qbittorrent @{exec_path} { /usr/share/qt5ct/** r, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, # GeoIP settings /usr/share/GeoIP/GeoIP.dat r, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index defec22b..38fd8120 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent - @{exec_path} = /{usr/,}bin/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include @@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} { owner @{user_cache_dirs}/qBittorrent/{,**} rw, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, /dev/disk/by-label/ r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 7c223bed..9d04457b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/mp3/ - @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { include @@ -46,11 +44,8 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, # Media library - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # Playlists owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 45a13c29..6b88c2bd 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/mp3/ - @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { include @@ -21,8 +19,8 @@ profile strawberry-tagreader @{exec_path} { @{exec_path} mr, # Media library - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index c2d4834c..37637812 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = /media/*/torrent - @{exec_path} = /{usr/,}bin/transmission-qt profile transmission-qt @{exec_path} { include @@ -36,10 +34,8 @@ profile transmission-qt @{exec_path} { @{exec_path} mr, # Torrent files - /media/ r, - owner /media/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, owner @{HOME}/.config/transmission/ rw, owner @{HOME}/.config/transmission/** rwk, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 416a527c..10475656 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,8 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # User VM images owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, - owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index f7ef793a..98a55a7c 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -21,13 +21,13 @@ @{XDG_VIDEOS_DIR}="Videos" # Extra user personal directories -@{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books" -@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" +@{XDG_PROJECTS_DIR}="Projects" @{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" - @{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" @{XDG_VM_DIR}=".vm" +@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" # User personal keyrings @{XDG_SSH_DIR}=".ssh" @@ -52,7 +52,18 @@ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ # Other user directories +@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} +@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} +@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} +@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories From 08beefe867a7a976ee52df82edb15bfd80440677 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 23:05:09 +0100 Subject: [PATCH 081/165] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 7 +++++-- apparmor.d/groups/bus/dbus-daemon-launch-helper | 2 ++ .../groups/gnome/gnome-calculator-search-provider | 4 +++- apparmor.d/groups/gnome/gnome-control-center | 1 + .../groups/gnome/gnome-control-center-search-provider | 7 ++++++- apparmor.d/groups/gnome/gnome-terminal-server | 3 ++- apparmor.d/groups/gnome/seahorse | 10 ++++++++++ apparmor.d/groups/network/NetworkManager | 4 +++- apparmor.d/groups/systemd/systemd-resolved | 1 + apparmor.d/groups/systemd/systemd-timedated | 6 +++++- apparmor.d/groups/ubuntu/apport-gtk | 5 +++-- apparmor.d/groups/ubuntu/apt-esm-json-hook | 1 + apparmor.d/profiles-a-f/apparmor_parser | 1 + apparmor.d/profiles-m-r/needrestart | 1 + apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/spice-vdagent | 1 + 16 files changed, 47 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 848ae80d..017fd58e 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -63,6 +63,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/apt-show-versions rPx, /{usr/,}bin/debtags rPx, + /{usr/,}bin/df rPx, + /{usr/,}bin/dmesg rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/etckeeper rPx, @@ -97,6 +99,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/cache/apt/ r, /var/cache/apt/** rwk, + /var/crash/{,*.@{uid}.crash} rw, + /var/lib/apt/extended_states{,.*} rw, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, @@ -105,8 +109,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/lock{,-frontend} rwk, /var/lib/update-notifier/dpkg-run-stamp rw, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/{,**} rw, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index e0f71980..2c02babd 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -21,6 +21,8 @@ profile dbus-daemon-launch-helper @{exec_path} { /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, /{usr/,}lib/software-properties/software-properties-dbus rPx, + + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index f34ebb82..d3a16fcf 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,9 +9,10 @@ include @{exec_path} = @{libexec}/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include + include include - include include + include signal (send) set=kill peer=unconfined, @@ -23,6 +24,7 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 368061b1..ff76bcc6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -148,6 +148,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, + @{run}/cups/cups.sock rw, @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 247eeeac..c99e15d4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,17 +9,22 @@ include @{exec_path} = @{libexec}/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include + include include + include include include - include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/xkb/{,**} r, + /etc/gnome/defaults.list r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 51cd8765..bbf8f817 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -20,7 +20,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - /{usr/,}bin/{,z,ba,da}sh rUx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 811fbf81..f7429593 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -16,11 +16,21 @@ profile seahorse @{exec_path} { include include + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew} peer=(name=org.freedesktop.Avahi), + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi), + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow}, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 3d4cc758..1637a5d7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -97,7 +97,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/nm-openvpn-service rPx, /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, - /dev/rfkill rw, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, / r, /etc/ r, @@ -136,5 +136,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, + /dev/rfkill rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f2e385d6..9b9e028b 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -50,6 +50,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 6e898528..ddd2c425 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -19,9 +19,13 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member={AddMatch,ReleaseName,RequestName}, + dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/* + interface=org.freedesktop.DBus.Properties + member=GetAll, + dbus receive bus=system path=/org/freedesktop/timedate[0-1] interface=org.freedesktop.DBus.Properties - member=Get, + member={Get,GetAll}, dbus bind bus=system name=org.freedesktop.timedate[0-9], diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 2f64f26c..4cb03377 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -69,16 +69,17 @@ profile apport-gtk @{exec_path} { /tmp/[a-z0-9]* rw, /tmp/apport_core_* rw, - /tmp/launchpadlib.cache.[a-z0-9]*/ w, + /tmp/launchpadlib.cache.[a-z0-9]*/ rw, /tmp/tmp[a-z0-9]*/{,**} rw, - owner @{PROC}/@{pid}/cgroup r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/stat r, @{PROC}/modules r, @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cgroup r, profile gdb { include diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 31af9923..9ba79f93 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index e75165f5..eb535fe5 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include + include capability mac_admin, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 0eaa5148..6e0aeef5 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -25,6 +25,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/fail2ban-server rPx, /{usr/,}bin/locale rix, /{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/stty rix, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index ca903cf7..08cdcdfa 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -14,6 +14,8 @@ profile run-parts @{exec_path} { @{exec_path} mr, + /usr/share/update-notifier/notify-reboot-required rPx, + # Crontrab /etc/cron.{hourly,daily,weekly,monthly}/ r, /etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 690023d7..17d71d8b 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} { include include include + include include include From 8969786104934b81abaddf3c5b529574baf47cc1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 23:05:24 +0100 Subject: [PATCH 082/165] feat(profiles): add plymouthd. --- apparmor.d/groups/freedesktop/plymouthd | 43 +++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/plymouthd diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd new file mode 100644 index 00000000..1bc95f96 --- /dev/null +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/plymouthd +profile plymouthd @{exec_path} { + include + include + + capability sys_admin, + capability sys_tty_config, + + network netlink raw, + + signal (send) peer=unconfined, + + unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), + + @{exec_path} mr, + + /usr/share/plymouth/{,**} r, + + /etc/default/keyboard r, + + @{run}/udev/data/+drm:* r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r, + @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/acpi/bgrt/{,*} r, + + @{PROC}/cmdline r, + + /dev/dri/card[0-9]* rw, + + include if exists +} \ No newline at end of file From 6c89ee8630f0f87a9d8cdc2fd548687a9bf33fc3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 23:05:53 +0100 Subject: [PATCH 083/165] feat(profiles): add gnome-characters-backgroudservice. --- .../gnome/gnome-characters-backgroudservice | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-characters-backgroudservice diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice new file mode 100644 index 00000000..f5d261f9 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService +profile gnome-characters-backgroudservice @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + include if exists +} \ No newline at end of file From 72a042e6efdaa3891eeec892dd07eb2b80410fdb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 23:06:42 +0100 Subject: [PATCH 084/165] feat(profiles): add notify-reboot-required. --- .../groups/ubuntu/notify-reboot-required | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/notify-reboot-required diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required new file mode 100644 index 00000000..91fd3a8a --- /dev/null +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/update-notifier/notify-reboot-required +profile notify-reboot-required @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/gettext rix, + + /usr/share/update-notifier/notify-reboot-required r, + + @{run}/reboot-required rw, + @{run}/reboot-required.pkgs rw, + + include if exists +} \ No newline at end of file From 1d45e8ec2e4a81330354743e09f80b4add01d7ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jun 2022 23:07:00 +0100 Subject: [PATCH 085/165] feat(profiles): add do-release-upgrade. --- apparmor.d/groups/ubuntu/do-release-upgrade | 34 +++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/do-release-upgrade diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade new file mode 100644 index 00000000..1d8f91cd --- /dev/null +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/do-release-upgrade +profile do-release-upgrade @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/*.csv r, + /usr/share/ubuntu-release-upgrader/{,**} r, + + /etc/machine-id r, + /etc/update-manager/{,**} r, + + /var/lib/update-manager/meta-release-* rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file From 9b84ded0c29d08b4edcd26de4006d352c9ac7c85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 3 Jul 2022 18:55:21 +0100 Subject: [PATCH 086/165] doc: improve current doc. --- CONTRIBUTING.md | 63 ++++++++++++++++++++++++++++++++++++++++--------- README.md | 12 ++++++---- 2 files changed, 59 insertions(+), 16 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9fe8cd57..c65cda9f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -30,6 +30,17 @@ in this page all the useful information needed to contribute. you'll see a Compare & pull request button, fill and submit the pull request. +## Projects rules + +A few rules: +1. As these are mandatory access control policies only what it explicitly required + should be authorized. Meaning, you should not allow everything (or a large area) + and blacklist some sub area. +2. A profile **should not break a normal usage of the confined software**. It can + be complex as simply running the program for your own use case is not alway + exhaustive of the program features and required permissions. + + ## Add a profile 1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`. @@ -64,36 +75,65 @@ profile foo @{exec_path} { ## Profile Guidelines -In order to ensure a common structure across the profiles, all new profile should try to follow the guideline presented here. +> This profile guideline is still evloving, feel free to propose improvment -The rules in the profile should be sorted as follow: +In order to ensure a common structure across the profiles, all new profile should +try to follow the guideline presented here. + +The rules in the profile should be sorted as follow: - include - capability +- network +- mount +- remount +- umount - ptrace - signal -- network -- mount +- unix +- dbus (send, receive) send receice - @{exec_path} mr, - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`... - The shared resources: `/usr/share`... - The system configuration: `/etc`... +- The system data: `/var`... - The user data: `owner @{HOME}/`... -- The user configuration (all dotfiles) +- The user configuration, cache and in general all dotfiles - Temporary data: `/tmp/`, `@{run}/`... - Sys files: `@{sys}/`... - Proc files: `@{PROC}/`... - Dev files: `/dev/`... +- Deny rules: `deny`... +- Local include **Other rules** * Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`. +* Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`. * Always use the apparmor variables. * In a rule block, the rule shall be alphabetically sorted. -* When some file access share similar purpose, they shall be sorted together. Eg: - ``` - /etc/machine-id r, - /var/lib/dbus/machine-id r, - ``` +* Subprofile should comes at the end of a profile. +* When some file access share similar purpose, they may be sorted together. Eg: + ``` + /etc/machine-id r, + /var/lib/dbus/machine-id r, + ``` + +The included tool `aa-log` can be useful to explore the apparmor log + +## Abstraction + +This project and the apparmor profile official project provide a large selection +of abstraction to be included in profiles. They should be used. + +For instance, instead of writting: +```sh +owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, +``` +to allow download directory access, you should write + +```sh +include +``` ## AppArmor variables @@ -119,10 +159,11 @@ The rules in the profile should be sorted as follow: **Additional variables available with this project:** * Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt` +* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*` * Extended XDG user directories: - Projects: `@{XDG_PROJECTS_DIR}="Projects"` - Books: `@{XDG_BOOKS_DIR}="Books"` - - Wallpapers: `@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"` + - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"` - Sync: `@{XDG_SYNC_DIR}="Sync"` - Vm: `@{XDG_VM_DIR}=".vm"` - SSH: `@{XDG_SSH_DIR}=".ssh"` diff --git a/README.md b/README.md index d20438db..1b082b24 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,8 @@ ## Description -A set of over 1000 AppArmor profiles which aims is to confine most of Linux base applications and processes. +A set of over 1200 AppArmor profiles which aims is to confine most of Linux base +applications and processes. **Goals & Purpose** - Support all distributions that support AppArmor: @@ -65,7 +66,7 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ Build using standard Debian package build tools: ```sh dpkg-buildpackage -b -d --no-sign -sudo dpkg --install ../apparmor.d_*_all.deb +sudo dpkg -i ../apparmor.d_*_all.deb ``` > Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) @@ -131,7 +132,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r **AppArmor configuration** As they are a lot of rules, it is recommended to enable caching AppArmor profiles. -In `/etc/apparmor/parser.conf`, uncomment `write-cache`. +In `/etc/apparmor/parser.conf`, uncomment `write-cache` and `Optimize=compress-fast`. See [Speed up AppArmor Start] on the Arch Wiki for more information. @@ -176,9 +177,9 @@ AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa- **System Recovery** -Issue in some core profiles like the systemd tools, or the desktop environment +Issue in some core profiles like the systemd suite, or the desktop environment can fully break your system. This should not happen a lot, but if it does here -is the procces to recover your system on Archlinux: +is the process to recover your system on Archlinux: 1. Boot from a Archlinux live USB 1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/ vg0` 1. Mount your root partition: `mount /dev/ /mnt` @@ -253,3 +254,4 @@ with this program; if not, write to the Free Software Foundation, Inc., [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles +[write xor execute]: https://en.wikipedia.org/wiki/W%5EX From f6de2fbe7a2ca52e14fd68aab92ea6ae152d81f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 3 Jul 2022 20:27:48 +0100 Subject: [PATCH 087/165] feat(profiles): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/freedesktop/geoclue | 4 ++++ apparmor.d/groups/freedesktop/plymouthd | 4 ++++ apparmor.d/groups/freedesktop/upowerd | 2 +- .../gnome/gnome-characters-backgroudservice | 2 +- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- .../gnome/gnome-control-center-goa-helper | 1 + apparmor.d/groups/gnome/gnome-music | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 3 +++ apparmor.d/groups/pacman/pacman-key | 3 +++ apparmor.d/groups/systemd/bootctl | 5 ++++ .../groups/systemd/systemd-machine-id-setup | 2 ++ apparmor.d/groups/systemd/systemd-resolved | 1 + apparmor.d/groups/systemd/systemd-udevd | 4 ++-- apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 ++ apparmor.d/groups/ubuntu/update-manager | 19 ++++++++------- apparmor.d/groups/virt/containerd | 4 ++++ apparmor.d/profiles-a-f/aa-notify | 1 + apparmor.d/profiles-a-f/appstreamcli | 1 + apparmor.d/profiles-a-f/font-manager | 18 +++++++-------- apparmor.d/profiles-a-f/fprintd | 9 ++------ apparmor.d/profiles-a-f/frontend | 23 +++++++++---------- apparmor.d/profiles-a-f/fwupd | 3 +++ apparmor.d/profiles-g-l/ifup | 4 ++-- apparmor.d/profiles-g-l/lspci | 1 + apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/sensors | 1 + 28 files changed, 81 insertions(+), 46 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index f64de582..79c4f042 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -38,7 +38,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner @{run}/user/@{uid}/pk-debconf-socket rw, + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index dd4bc64f..8b4fafa4 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -41,6 +41,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser member={AllForNow,CacheExhausted}, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1bc95f96..352c5534 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -18,6 +18,7 @@ profile plymouthd @{exec_path} { signal (send) peer=unconfined, + unix type=stream addr="@/org/freedesktop/plymouthd", unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), @{exec_path} mr, @@ -27,6 +28,7 @@ profile plymouthd @{exec_path} { /etc/default/keyboard r, @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:* r, @{sys}/bus/ r, @{sys}/class/ r, @@ -38,6 +40,8 @@ profile plymouthd @{exec_path} { @{PROC}/cmdline r, /dev/dri/card[0-9]* rw, + /dev/ptmx rw, + /dev/tty[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4e25042e..22c62c33 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown}, + member={SessionNew,SessionRemoved,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index f5d261f9..cf42bd74 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService +@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService profile gnome-characters-backgroudservice @{exec_path} { include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ff76bcc6..1efb4649 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -61,7 +61,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=ListCachedUsers, + member={ListCachedUsers,FindUserById}, dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties @@ -107,7 +107,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, - /usr/share/gnome-bluetooth/{,**} r, + /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1c02e938..4f68eb92 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -15,6 +15,7 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 46e8c9c6..19c42c25 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -31,6 +31,7 @@ profile gnome-music @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* rix, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index bbf8f817..9054d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -23,6 +23,9 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, + # Some CLI program can be launched directly from Gnome Shell + /{usr/,}bin/htop rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9f9f7459..69d17130 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -43,11 +43,14 @@ profile pacman-key @{exec_path} { profile gpg { include + include + include capability dac_read_search, capability mknod, /{usr/,}bin/gpg mr, + /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg-agent rix, /usr/share/pacman/keyrings/{,*} r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 4e21b840..f754f9fa 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -39,15 +39,20 @@ profile bootctl @{exec_path} { @{run}/host/container-manager r, + @{sys}//class/tpmrm/ r, + @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a8290f4a..e26c4058 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -10,6 +10,8 @@ include profile systemd-machine-id-setup @{exec_path} { include + capability dac_override, + @{exec_path} mr, /etc/machine-id rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 9b9e028b..c410568f 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -11,6 +11,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 31ecf983..54adc87e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -49,8 +49,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, - /{usr,/}lib/pm-utils/power.d/* rPUx, - /{usr,/}lib/snapd/snap-device-helper rPx, + /{usr/,}lib/pm-utils/power.d/* rPUx, + /{usr/,}lib/snapd/snap-device-helper rPx, /{usr/,}lib/crda/* rPUx, /{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/systemd/systemd-* rPx, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5d581cdd..c9456448 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -18,7 +18,7 @@ profile apt-esm-hook @{exec_path} { /etc/machine-id r, - /var/cache/apt/pkgcache.bin.* rw, + /var/cache/apt/pkgcache.bin* rw, /var/lib/ubuntu-advantage/messages/{,**} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 9ba79f93..97ab7349 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -13,5 +13,7 @@ profile apt-esm-json-hook @{exec_path} { @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a1dab06b..c2b43c28 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -30,7 +30,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} - member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll}, + member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -54,13 +54,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/hwe-support-status rPx, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/snap rPUx, - /{usr/,}bin/uname rix, - /{usr/,}lib/apt/methods/http{,s} rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/hwe-support-status rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPUx, + /{usr/,}bin/software-properties-gtk rPx, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, /usr/share/distro-info/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -70,6 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, + /etc/gnome/defaults.list r, /etc/machine-id r, /etc/update-manager/{,**} r, @@ -82,6 +84,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 7c8f4d7c..e279b484 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -21,7 +21,9 @@ profile containerd @{exec_path} { /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /etc/cni/ rw, /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, @@ -30,6 +32,8 @@ profile containerd @{exec_path} { @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + @{run}/systemd/notify w, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{PROC}/@{pids}/uid_map r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 60c06ef3..5ff00d20 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/aa-notify profile aa-notify @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 8d609ba3..bc053307 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -11,6 +11,7 @@ include profile appstreamcli @{exec_path} flags=(complain) { include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index bda09990..8bf1bb58 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -10,12 +10,12 @@ include profile font-manager @{exec_path} { include include - include - include include + include include - include include + include + include include network inet dgram, @@ -29,6 +29,8 @@ profile font-manager @{exec_path} { /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, owner @{user_cache_dirs}/font-manager/* rwk, @@ -47,18 +49,16 @@ profile font-manager @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/{,**} r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/smaps r, - @{PROC}zoneinfo r, - - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/{,**} r, + @{PROC}/zoneinfo r, # Silencer owner /var/cache/fontconfig/ w, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 215f7ef6..c2c9a6ff 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -18,12 +18,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus receive bus=system path=/net/reactivated/Fprint/Manager - interface=net.reactivated.Fprint.Manager - member={GetDefaultDevice,GetDevices}, - - dbus receive bus=system path=/net/reactivated/Fprint/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll, + interface={org.freedesktop.DBus.Properties,net.reactivated.Fprint.Manager}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -33,7 +28,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login[0-9]), dbus bind bus=system name=net.reactivated.Fprint, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 46a762f5..9e018e0a 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -23,13 +23,14 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}bin/locale rix, # debconf apps + /{usr/,}{s,}bin/aspell-autobuildhash rPx, + /{usr/,}{s,}bin/pam-auth-update rPx, /{usr/,}bin/adequate rPx, /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /{usr/,}bin/linux-check-removal rPx, /{usr/,}bin/ucf rPx, - /{usr/,}sbin/pam-auth-update rPx, - /{usr/,}sbin/aspell-autobuildhash rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /usr/share/debian-security-support/check-support-status.hook rPx, # Run the package maintainer's scripts @@ -55,13 +56,16 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}lib/dkms/dkms-* rPUx, /{usr/,}lib/dkms/dkms_* rPUx, - /etc/debconf.conf r, /usr/share/debconf/{,**} r, + + /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, + + owner /tmp/file* w, owner /var/cache/debconf/* rwk, - /etc/inputrc r, - - /etc/shadow r, + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when debconf uses GUI frontends. include @@ -74,11 +78,6 @@ profile frontend @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, - owner /tmp/file* w, - - profile scripts flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 471ab9f3..8f217fbe 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -86,11 +86,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, /dev/drm_dp_aux[0-9]* rw, + /dev/gpiochip[0-9]* r, /dev/hidraw[0-9]* rw, /dev/mei[0-9]* rw, /dev/mem r, + /dev/mtd[0-9]* rw, /dev/sd[a-z]* r, /dev/tpm[0-9]* rw, + /dev/tpmrm[0-9]* rw, /dev/wmi/* r, profile gpg flags=(complain) { diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 6de8a18f..7df34f07 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -32,7 +32,7 @@ profile ifup @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/sysctl rCx -> sysctl, + /{usr/,}{s,}bin/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -114,7 +114,7 @@ profile ifup @{exec_path} { capability sys_admin, # capability sys_resource, - /{usr/,}sbin/sysctl mr, + /{usr/,}{s,}bin/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index f270780b..e3308c76 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -19,6 +19,7 @@ profile lspci @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, @{sys}/devices/pci[0-9]*/** r, /usr/share/hwdata/pci.ids r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 1cbe45a1..c9d803ba 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -50,6 +50,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw, + @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 2ee51148..528944ec 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -27,6 +27,7 @@ profile sensors @{exec_path} { @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r, @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/name r, + @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r, @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r, From d04bb8f5b20e8ee532883f3898b0751b24e1c7ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 3 Jul 2022 20:28:26 +0100 Subject: [PATCH 088/165] feat(profiles): add systemd-resolve. --- apparmor.d/groups/systemd/systemd-resolve | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-resolve diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve new file mode 100644 index 00000000..2974f5f3 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/resolvectl +@{exec_path} += /{usr/,}bin/systemd-resolve +profile systemd-resolve @{exec_path} { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} From 4a37cd11490c23eda8b784a7be39416a6ae64b48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 3 Jul 2022 20:29:45 +0100 Subject: [PATCH 089/165] feat(profiles): add software-properties-gtk & ubuntu-advantage. --- .../groups/ubuntu/software-properties-gtk | 36 +++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-advantage | 24 +++++++++++++ dists/flags/ubuntu.flags | 5 +++ 3 files changed, 65 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/software-properties-gtk create mode 100644 apparmor.d/groups/ubuntu/ubuntu-advantage diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk new file mode 100644 index 00000000..4953d5d1 --- /dev/null +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/software-properties-gtk +profile software-properties-gtk @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/aplay rPx, + /{usr/,}bin/apt-key rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/ubuntu-advantage rPx, + + /usr/share/icons/{,**} r, + /usr/share/ubuntu-drivers-common/detect/{,**} r, + + /etc/machine-id r, + + owner @{PROC}/@{pid}/fd/ r, + + @{sys}/devices/ r, + @{sys}/devices/**/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage new file mode 100644 index 00000000..57338fed --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ubuntu-advantage +profile ubuntu-advantage @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 0bcf03fd..047990aa 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -3,12 +3,17 @@ apport-gtk complain apt-esm-hook complain apt-esm-json-hook complain check-new-release-gtk complain +do-release-upgrade complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain +notify-reboot-required complain package-system-locked attach_disconnected,complain packagekitd complain release-upgrade-motd complain +software-properties-gtk +software-properties-gtk complain +ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-report complain update-manager attach_disconnected,complain From 9ea910d1a0e7e48f41522ef5873389091eb31da2 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:49:52 +0200 Subject: [PATCH 090/165] Add CNI for containerd --- apparmor.d/groups/virt/calico | 26 +++++++++++++++++++++++ apparmor.d/groups/virt/cni | 35 +++++++++++++++++++++++++++++++ apparmor.d/groups/virt/containerd | 18 ++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 apparmor.d/groups/virt/calico create mode 100644 apparmor.d/groups/virt/cni diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico new file mode 100644 index 00000000..328d3e85 --- /dev/null +++ b/apparmor.d/groups/virt/calico @@ -0,0 +1,26 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/calico +profile calico @{exec_path} flags=(complain) { + include + + @{exec_path} rix, + @{exec_path}-ipam rix, + + network inet, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/calico/ r, + /var/lib/calico/** r, + /etc/cni/net.d/ r, + /etc/cni/net.d/** r, + + /var/log/calico/cni/ r, + /var/log/calico/cni/cni.log wr, + + /run/calico/ipam.lock rwk, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni new file mode 100644 index 00000000..2a4039c0 --- /dev/null +++ b/apparmor.d/groups/virt/cni @@ -0,0 +1,35 @@ +abi , + +include + +profile loopback /{opt/,}{cni/,}bin/loopback { + include + + /opt/cni/bin/loopback rix, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} + +profile portmap /{opt/,}{cni/,}bin/portmap { + include + + /opt/cni/bin/portmap rix, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} + +profile bandwidth /{opt/,}{cni/,}bin/bandwidth { + include + + /opt/cni/bin/bandwidth rix, + + network inet, + network netlink raw, + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..1ae77b55 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include capability dac_read_search, capability net_admin, @@ -16,6 +17,10 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, + # Pulling container images + network inet, + network inet6, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, @@ -26,6 +31,19 @@ profile containerd @{exec_path} { /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /opt/cni/bin/loopback Px, + /opt/cni/bin/portmap Px, + /opt/cni/bin/bandwidth Px, + /opt/cni/bin/calico Px, + + /var/log/pods/**/[0-9]*.log w, + @{run}/calico/ w, + + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + /var/lib/cni/results/cni-loopback-@{uuid}-lo l, + @{PROC}/@{pid}/task/[0-9]*/ns/net rw, + /var/lib/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk, @{run}/containerd/{,**} rwk, From 3d63f9e21e018082b84283f1c0c5b6c31d859299 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:50:14 +0200 Subject: [PATCH 091/165] Add AppArmor support to containerd --- apparmor.d/groups/virt/containerd | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 1ae77b55..982098f3 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -57,6 +57,12 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + + # AppArmor within containers + @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/apparmor/parameters/enabled r, + /tmp/cri-containerd.apparmor.d[0-9]* rwl, + /usr/sbin/apparmor_parser Px, include if exists } \ No newline at end of file From 1556e62e10fcefb4a6be4891df15ccc60ecbc48f Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:50:35 +0200 Subject: [PATCH 092/165] Update build instructions for Ubuntu --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 1b082b24..97c37edb 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be installed. +* Go +* rsync **Archlinux** @@ -65,6 +67,8 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ Build using standard Debian package build tools: ```sh +sudo apt install debhelper ubuntu-dev-tools config-package-dev golang-go apparmor-profiles rsync + dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` From 2ffa3d133931a4d7fe863fec1242250a010591d8 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:46:59 +0200 Subject: [PATCH 093/165] Cleanup profiles according to standards part 1/2 --- apparmor.d/groups/virt/calico | 17 +++++++------- apparmor.d/groups/virt/cni | 35 ---------------------------- apparmor.d/groups/virt/cni-bandwidth | 17 ++++++++++++++ apparmor.d/groups/virt/cni-loopback | 14 +++++++++++ apparmor.d/groups/virt/cni-portmap | 14 +++++++++++ apparmor.d/groups/virt/containerd | 10 ++++---- 6 files changed, 58 insertions(+), 49 deletions(-) delete mode 100644 apparmor.d/groups/virt/cni create mode 100644 apparmor.d/groups/virt/cni-bandwidth create mode 100644 apparmor.d/groups/virt/cni-loopback create mode 100644 apparmor.d/groups/virt/cni-portmap diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index 328d3e85..ac46f619 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -6,21 +6,20 @@ include profile calico @{exec_path} flags=(complain) { include + network inet, + network inet6, + @{exec_path} rix, @{exec_path}-ipam rix, - network inet, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /var/lib/calico/ r, - /var/lib/calico/** r, - /etc/cni/net.d/ r, - /etc/cni/net.d/** r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/calico/{,**} r, + /etc/cni/net.d/{,**} r, /var/log/calico/cni/ r, - /var/log/calico/cni/cni.log wr, + /var/log/calico/cni/cni.log rw, - /run/calico/ipam.lock rwk, + @{run}/calico/ipam.lock rwk, include if exists } diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni deleted file mode 100644 index 2a4039c0..00000000 --- a/apparmor.d/groups/virt/cni +++ /dev/null @@ -1,35 +0,0 @@ -abi , - -include - -profile loopback /{opt/,}{cni/,}bin/loopback { - include - - /opt/cni/bin/loopback rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile portmap /{opt/,}{cni/,}bin/portmap { - include - - /opt/cni/bin/portmap rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile bandwidth /{opt/,}{cni/,}bin/bandwidth { - include - - /opt/cni/bin/bandwidth rix, - - network inet, - network netlink raw, - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth new file mode 100644 index 00000000..9bf87266 --- /dev/null +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/bandwidth +profile bandwidth @{exec_path} { + include + + {exec_path} rm, + + network inet, + network netlink raw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback new file mode 100644 index 00000000..d746669a --- /dev/null +++ b/apparmor.d/groups/virt/cni-loopback @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/loopback +profile loopback @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap new file mode 100644 index 00000000..ce24f2b4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-portmap @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/portmap +profile portmap @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 982098f3..c40c454e 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,10 +31,10 @@ profile containerd @{exec_path} { /etc/cni/net.d/ rw, /etc/containerd/*.toml r, - /opt/cni/bin/loopback Px, - /opt/cni/bin/portmap Px, - /opt/cni/bin/bandwidth Px, - /opt/cni/bin/calico Px, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, + /opt/cni/bin/bandwidth rPx, + /opt/cni/bin/calico rPx, /var/log/pods/**/[0-9]*.log w, @{run}/calico/ w, @@ -65,4 +65,4 @@ profile containerd @{exec_path} { /usr/sbin/apparmor_parser Px, include if exists -} \ No newline at end of file +} From edcd1304320ec91a74fd2c62bda78b894c8d0326 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:53:21 +0200 Subject: [PATCH 094/165] Calico profile cleanup. --- apparmor.d/groups/virt/calico | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index ac46f619..313959fb 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -9,17 +9,18 @@ profile calico @{exec_path} flags=(complain) { network inet, network inet6, - @{exec_path} rix, + @{exec_path} rm, @{exec_path}-ipam rix, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /var/lib/calico/{,**} r, /etc/cni/net.d/{,**} r, - + + /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/cni.log rw, @{run}/calico/ipam.lock rwk, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } From 8413f6b9e6c377bfcdc674257e9090ba0f934ebd Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 11:51:15 +0200 Subject: [PATCH 095/165] Allow containerd to access SSL certs for pulling container images. --- apparmor.d/groups/virt/containerd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index c40c454e..c44b9300 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include include capability dac_read_search, From 7524bfa343934430bc5144ee18ec81c9811139f3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 12:43:52 +0200 Subject: [PATCH 096/165] Syntax fixes --- apparmor.d/groups/virt/cni-bandwidth | 2 +- apparmor.d/groups/virt/cni-loopback | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 9bf87266..82e4792a 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,7 +6,7 @@ include profile bandwidth @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, network inet, network netlink raw, diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index d746669a..2e542dd0 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,7 +6,7 @@ include profile loopback @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index ce24f2b4..efd2ae0d 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,7 +6,7 @@ include profile portmap @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, From 9fb43325a3f0ab4b4c572c3bc0e8a64b8e42266a Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 12:49:33 +0200 Subject: [PATCH 097/165] Add headers to new policies --- apparmor.d/groups/virt/calico | 6 +++++- apparmor.d/groups/virt/cni-bandwidth | 4 ++++ apparmor.d/groups/virt/cni-loopback | 4 ++++ apparmor.d/groups/virt/cni-portmap | 4 ++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index 313959fb..b68944be 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -9,7 +13,7 @@ profile calico @{exec_path} flags=(complain) { network inet, network inet6, - @{exec_path} rm, + @{exec_path} mr, @{exec_path}-ipam rix, /etc/cni/net.d/{,**} r, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 82e4792a..1de4dbf4 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 2e542dd0..a6ff7d6f 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index efd2ae0d..02e24956 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include From 8a13d71edb7a80f7faa79270e7933044f4029555 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:36:44 +0200 Subject: [PATCH 098/165] Update CNI path, set containerd to attach_disconnected, cleanups. --- apparmor.d/groups/virt/calico | 4 ++-- apparmor.d/groups/virt/cni-bandwidth | 2 +- apparmor.d/groups/virt/cni-loopback | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- apparmor.d/groups/virt/containerd | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index b68944be..ad021b21 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -6,8 +6,8 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/calico -profile calico @{exec_path} flags=(complain) { +@{exec_path} = /opt/cni/bin/calico +profile calico @{exec_path} { include network inet, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 1de4dbf4..c477581d 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/bandwidth +@{exec_path} = /opt/cni/bin/bandwidth profile bandwidth @{exec_path} { include diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index a6ff7d6f..e1389f93 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/loopback +@{exec_path} = /opt/cni/bin/loopback profile loopback @{exec_path} { include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 02e24956..8d768844 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/portmap +@{exec_path} = /opt/cni/bin/portmap profile portmap @{exec_path} { include diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index c44b9300..212846e7 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/containerd -profile containerd @{exec_path} { +profile containerd @{exec_path} flags=(attach_disconnected) { include include include From 6e1e7dc32bd5226de54811fc72064efccf846992 Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 10 Jul 2022 12:38:11 +0000 Subject: [PATCH 099/165] Apply suggestions from code review --- apparmor.d/groups/virt/containerd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 212846e7..0a7c31ea 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -43,7 +43,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, /var/lib/cni/results/cni-loopback-@{uuid}-lo l, - @{PROC}/@{pid}/task/[0-9]*/ns/net rw, + @{PROC}/@{pid}/task/@{tid}/ns/net rw, /var/lib/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk, @@ -63,7 +63,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, /tmp/cri-containerd.apparmor.d[0-9]* rwl, - /usr/sbin/apparmor_parser Px, + /{usr/,}{s,}bin/apparmor_parser rPx, include if exists } From 3810c1668e97de337052da0ef4b4b08ae73e5642 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 5 Jul 2022 20:45:01 +0200 Subject: [PATCH 100/165] Basic ZFS support --- apparmor.d/abstractions/disks-read | 5 +++++ apparmor.d/groups/virt/containerd | 35 +++++++++++++++++++++++++++++- apparmor.d/profiles-s-z/zfs | 17 +++++++++++++++ apparmor.d/profiles-s-z/zpool | 21 ++++++++++++++++++ 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/zfs create mode 100644 apparmor.d/profiles-s-z/zpool diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b7..5e8549ab 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..b7729a7a 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,10 +9,13 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include + include capability dac_read_search, capability net_admin, capability sys_admin, + capability chown, signal (receive) set=term peer=dockerd, @@ -31,6 +34,7 @@ profile containerd @{exec_path} { @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @{run}/systemd/notify w, @@ -40,5 +44,34 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + # Extracting container images + /usr/{local/,}bin/unpigz PUx, + + # zfs snapshotter + /{usr/,}{local/,}{s,}bin/zfs Px, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/001/ r, + deny /dev/bus/usb/002/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/0/ r, + deny /dev/cpu/1/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..dfe846c0 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..67b73d7e --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,21 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /etc/hostid r, + + include if exists +} From 99c311e699000299290a81b503202b52e1c02de3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 7 Jul 2022 14:48:32 +0200 Subject: [PATCH 101/165] Executable updates for zpool --- apparmor.d/profiles-s-z/zpool | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 67b73d7e..b4d23646 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,12 +10,15 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} r, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, /dev/zfs rw, @{PROC}/@{pids}/mounts r, /dev/pts/[0-9]* rw, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, include if exists } From cc5d1a0e07e42e67287257c425b97087784af57c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:43:19 +0200 Subject: [PATCH 102/165] Initramfs generation updates --- apparmor.d/profiles-m-r/mount-zfs | 4 ++++ apparmor.d/profiles-s-z/zpool | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index c79af21c..0f9cfb7b 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,12 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, + umount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index b4d23646..5b0efb02 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -20,5 +20,9 @@ profile zpool @{exec_path} flags=(complain) { /etc/hostid r, @{PROC}/sys/kernel/spl/hostid r, + /run/blkid/blkid.tab wr, + /run/blkid/blkid.tab.old l, + /run/blkid/blkid.tab-* wrl, + include if exists } From da08ef6aa6100c3e1d7a1dd3e2e5ae428f8e6cf7 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:44:53 +0200 Subject: [PATCH 103/165] Typo --- apparmor.d/profiles-m-r/mount-zfs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 0f9cfb7b..07490bb5 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,16 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, - mount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, - umount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, @{PROC}/@{pids}/mounts r, From c9b4423e45387012d2ceaa606b44ff4f5b3d7ea3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 15:24:10 +0200 Subject: [PATCH 104/165] Allow mount-zfs access to pts --- apparmor.d/profiles-m-r/mount-zfs | 2 ++ apparmor.d/profiles-s-z/zpool | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 07490bb5..cfd13ccf 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, + /dev/pts/[0-9]* rw, + @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 5b0efb02..bbd73e3d 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -9,7 +9,7 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, - @{exec_path} r, + @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, From 59f8b893ffedc6292c738b3e6dce24aa06b73399 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:33:47 +0200 Subject: [PATCH 105/165] Cleanup profiles according to standards --- apparmor.d/groups/virt/containerd | 74 +++++++++++++++---------------- apparmor.d/profiles-s-z/zfs | 3 +- apparmor.d/profiles-s-z/zpool | 19 ++++---- 3 files changed, 47 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index b7729a7a..f73d1b37 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -17,61 +17,57 @@ profile containerd @{exec_path} { capability sys_admin, capability chown, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - @{exec_path} mr, - + @{exec_path} rm, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, - # Extracting container images - /usr/{local/,}bin/unpigz PUx, - - # zfs snapshotter - /{usr/,}{local/,}{s,}bin/zfs Px, - mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/001/ r, - deny /dev/bus/usb/002/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/0/ r, - deny /dev/cpu/1/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index dfe846c0..d3404b00 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) { @{exec_path} r, - /dev/zfs rw, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bbd73e3d..dfa2f83e 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) { @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, - /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, - - /dev/zfs rw, + /{usr/,}bin/{,ba,da}sh rix, + + /etc/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, /dev/pts/[0-9]* rw, - /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, - - /run/blkid/blkid.tab wr, - /run/blkid/blkid.tab.old l, - /run/blkid/blkid.tab-* wrl, include if exists } From d10f2c073c7d09d9d3ab55ae45b32fe6f16a90bf Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:01:31 +0200 Subject: [PATCH 106/165] Alphabetical sorting, group common options. --- apparmor.d/groups/virt/containerd | 8 ++++---- apparmor.d/profiles-s-z/zpool | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f73d1b37..9b1c578f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -12,10 +12,10 @@ profile containerd @{exec_path} { include include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, - capability chown, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, @@ -24,11 +24,11 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, - @{exec_path} rm, - /{usr/,}bin/unpigz rPUx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /etc/cni/ rw, /etc/cni/{,**} r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index dfa2f83e..ccd94c56 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,20 +10,20 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, - @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, - /dev/zfs rw, /dev/pts/[0-9]* rw, + /dev/zfs rw, include if exists } From d8449de55e49b71a4e953a36bc0624cb2d6b4770 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Jul 2022 14:24:09 +0100 Subject: [PATCH 107/165] feat(profiles): add and merge some cni profiles. --- apparmor.d/groups/virt/cni-bandwidth | 15 +++++++++------ apparmor.d/groups/virt/cni-bridge | 18 ++++++++++++++++++ apparmor.d/groups/virt/cni-firewall | 18 ++++++++++++++++++ apparmor.d/groups/virt/cni-loopback | 6 +++--- apparmor.d/groups/virt/cni-portmap | 6 +++--- apparmor.d/groups/virt/cni-tuning | 18 ++++++++++++++++++ 6 files changed, 69 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/groups/virt/cni-bridge create mode 100644 apparmor.d/groups/virt/cni-firewall create mode 100644 apparmor.d/groups/virt/cni-tuning diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index c477581d..a19504b8 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,16 +6,19 @@ abi , include -@{exec_path} = /opt/cni/bin/bandwidth -profile bandwidth @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/bandwidth /opt/cni/bin/bandwidth +profile cni-bandwidth @{exec_path} { include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, @{exec_path} mr, - network inet, - network netlink raw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge new file mode 100644 index 00000000..e2a3a76f --- /dev/null +++ b/apparmor.d/groups/virt/cni-bridge @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/bridge /opt/cni/bin/bridge +profile cni-bridge @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall new file mode 100644 index 00000000..729329e5 --- /dev/null +++ b/apparmor.d/groups/virt/cni-firewall @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/firewall /opt/cni/bin/firewall +profile cni-firewall @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index e1389f93..7e618fe6 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /opt/cni/bin/loopback -profile loopback @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback +profile cni-loopback @{exec_path} { include @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 8d768844..38fec593 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /opt/cni/bin/portmap -profile portmap @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/portmap /opt/cni/bin/portmap +profile cni-portmap @{exec_path} { include @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning new file mode 100644 index 00000000..dc14dfa4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-tuning @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/tuning /opt/cni/bin/tuning +profile cni-tuning @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file From c0e62f30bb9d0ed13dfe671360c0c7b34d773b43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Jul 2022 14:24:30 +0100 Subject: [PATCH 108/165] feat(profiles): add wireguard. --- apparmor.d/groups/network/wg | 20 +++++++++++++ apparmor.d/groups/network/wg-quick | 48 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 apparmor.d/groups/network/wg create mode 100644 apparmor.d/groups/network/wg-quick diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg new file mode 100644 index 00000000..6f4bf4ea --- /dev/null +++ b/apparmor.d/groups/network/wg @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/wg +profile wg @{exec_path} { + include + + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick new file mode 100644 index 00000000..06ccb7d6 --- /dev/null +++ b/apparmor.d/groups/network/wg-quick @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/wg-quick +profile wg-quick @{exec_path} { + include + + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}{s,}bin/nft rix, + /{usr/,}{s,}bin/sysctl rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/ip rPx, + /{usr/,}bin/readlink rix, + /{usr/,}bin/resolvectl rPx, + /{usr/,}bin/sort rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/wg rPx, + /{usr/,}bin/xtables-nft-multi rix, + + /usr/share/terminfo/x/xterm-256color r, + + /etc/iproute2/group r, + /etc/iproute2/rt_realms r, + /etc/resolvconf/interface-order r, + /etc/wireguard/*.conf r, + + @{sys}/module/wireguard r, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + /dev/tty rw, + + # Force the use as root + deny /{usr/,}bin/sudo x, + + include if exists +} \ No newline at end of file From 23642eb0bebef0d8b0ee84e7ebdbbcc1467f6cd7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Jul 2022 14:28:44 +0100 Subject: [PATCH 109/165] feat(profiles): general update. --- apparmor.d/groups/cron/cron-apport | 1 + .../gnome/gnome-characters-backgroudservice | 2 ++ apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/do-release-upgrade | 6 ++++++ apparmor.d/profiles-a-f/boltd | 3 +-- apparmor.d/profiles-g-l/ip | 10 ++++++---- apparmor.d/profiles-g-l/jekyll | 16 +++++++--------- apparmor.d/profiles-m-r/run-parts | 1 + apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/wireplumber | 1 + apparmor.d/profiles-s-z/zfs | 4 ++++ apparmor.d/profiles-s-z/zpool | 7 ++++++- 14 files changed, 39 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index abf16812..3c37534a 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,6 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, + /var/crash/*.crash w, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index cf42bd74..ed4bc812 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -13,6 +13,8 @@ profile gnome-characters-backgroudservice @{exec_path} { @{exec_path} mr, + /{usr/,}bin/gjs-console rix, + /usr/share/icons/{,**} r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 9132ee3c..b35ae8f2 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew,PrepareForShutdown,SeatNew}, + member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved}, dbus bind bus=system name=org.freedesktop.ModemManager[0-9], diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index cebfc7c3..b114eda3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] interface=org.freedesktop.systemd[0-9].Manager - member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe}, + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index e26c4058..86a0d4f7 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/systemd-machine-id-setup profile systemd-machine-id-setup @{exec_path} { include + include capability dac_override, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 1d8f91cd..8140c18c 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -15,6 +15,11 @@ profile do-release-upgrade @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -27,6 +32,7 @@ profile do-release-upgrade @{exec_path} { /etc/update-manager/{,**} r, /var/lib/update-manager/meta-release-* rw, + /var/cache/apt/pkgcache.bin{,.*} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 3501ad8e..a98cdfa7 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -35,8 +35,7 @@ profile boltd @{exec_path} { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 8c5a471c..ec164180 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -13,12 +13,11 @@ profile ip @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_module, network netlink raw, - @{exec_path} mrix, - mount options=(rw, rshared) -> /{var/,}run/netns/, mount options=(rw, rslave) -> /, mount options=(rw, bind) / -> /{var/,}run/netns/*, @@ -28,12 +27,15 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount @{run}/netns/*, umount /sys/, - /etc/iproute2/{,**} r, + @{exec_path} mrix, / r, + + /etc/iproute2/{,**} r, + /etc/netns/*/ r, + owner @{run}/netns/ rw, @{run}/netns/* rw, - /etc/netns/*/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/net/dev_mcast r, diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index c80ec1eb..1eb551d2 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -1,9 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{JEKYLL_DIR}=@{HOME}/morfikov.github.io - abi , include @@ -17,19 +16,18 @@ profile jekyll @{exec_path} { @{exec_path} r, /{usr/,}bin/ruby[0-9].[0-9]* rix, - /usr/share/rubygems-integration/*/specifications/ r, - /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, - /{usr/,}lib/ruby/gems/*/specifications/ r, /{usr/,}lib/ruby/gems/*/specifications/** r, /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + /usr/share/rubygems-integration/*/specifications/ r, + /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, + /usr/share/ruby-addressable/unicode.data r, - # Jekyll dir - owner @{JEKYLL_DIR}/{,**} r, - owner @{JEKYLL_DIR}/_site/{,**} rw, - owner @{JEKYLL_DIR}/.sass-cache/** rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/_site/{,**} rw, + owner @{user_projects_dirs}/**/.sass-cache/** rw, @{PROC}/version r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 08cdcdfa..b8671752 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -82,6 +82,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/postfix rPUx, + /etc/network/if-up.d/ubuntu-fan rPx, /etc/network/if-up.d/wpasupplicant rPUx, # Motd diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1460d0f0..a39f81ad 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -33,6 +33,7 @@ profile sudo @{exec_path} { ptrace (read), + signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, dbus send bus=system path=/org/freedesktop/login[0-9] diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 75eec8ad..0968890c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -45,6 +45,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, /dev/snd/ r, /dev/video[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index d3404b00..1251aa57 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index ccd94c56..d39b710d 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -10,17 +14,18 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, @{PROC}/@{pids}/mounts r, + @{PROC}/sys/kernel/spl/hostid r, /dev/pts/[0-9]* rw, /dev/zfs rw, From 63f1a98c370a15ae1c90767a5d4e272572a85d58 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Jul 2022 14:30:56 +0100 Subject: [PATCH 110/165] feat(profiles): add cron-ubuntu-fan. --- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 33 ++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/cron-ubuntu-fan diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan new file mode 100644 index 00000000..ee5e23ac --- /dev/null +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/network/if-up.d/ubuntu-fan +profile cron-ubuntu-fan @{exec_path} { + include + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/{,da,ba}sh rix, + /{usr/,}{s,}bin/fanctl rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/touch rix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} \ No newline at end of file From 2d7ec5ad2c6fd32655cdef6bd535ee1b65936a89 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 15 Jul 2022 20:42:15 +0000 Subject: [PATCH 111/165] Update spectre-meltdown-checker (#50) * Update spectre-meltdown-checker --- .../profiles-s-z/spectre-meltdown-checker | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index b2fdf5df..b45d6d25 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -9,6 +9,7 @@ include @{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} profile spectre-meltdown-checker @{exec_path} { include + include # Needed to read the /dev/cpu/[0-9]*/msr device capability sys_rawio, @@ -56,11 +57,14 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}{s,}bin/iucode_tool rix, + /{usr/,}{s,}bin/rdmsr rix, /{usr/,}bin/dmesg rix, /{usr/,}{s,}bin/mount rix, /{usr/,}bin/find rix, /{usr/,}bin/xargs rix, /{usr/,}bin/readlink rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/date rix, /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/ccache rCx -> ccache, @@ -71,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, - owner /tmp/intelfw-*/ rw, - owner /tmp/intelfw-*/fw.zip rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, + owner /tmp/{,smc-}intelfw-*/ rw, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, - owner @{exec_path} w, /tmp/ r, owner /tmp/{config,kernel}-* rw, @@ -99,8 +102,8 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/modules r, # find and denoise - @{PROC}/@{pid}/{status,exe} r, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, @{PROC}/*/ r, /var/lib/dbus/machine-id r, @@ -110,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} { /root/ r, /etc/ r, - profile ccache { include @@ -124,10 +126,12 @@ profile spectre-meltdown-checker @{exec_path} { /etc/debian_version r, + include if exists } profile pgrep { include + include /{usr/,}bin/pgrep mr, @@ -137,6 +141,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, + include if exists } profile mcedb { @@ -146,22 +151,33 @@ profile spectre-meltdown-checker @{exec_path} { include include + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + /{usr/,}bin/wget mr, /{usr/,}bin/sqlite3 mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/mcedb-* rwk, - owner /tmp/intelfw-*/fw.zip rw, + owner /tmp/{,smc-}mcedb-* rwk, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, + include if exists } profile kmod { include + include capability sys_module, @@ -175,6 +191,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/cmdline r, + include if exists } include if exists From 6c8e50534b79d75e59b344d6186cd75e63127518 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 14:53:37 +0200 Subject: [PATCH 112/165] Cleanup profile Signed-off-by: Jeroen Rijken --- apparmor.d/groups/virt/containerd | 66 +++++++++++++++---------------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 882ba9e0..a07de445 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -32,6 +32,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=dockerd, @{exec_path} mr, + /{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, /{usr/,}bin/unpigz rPUx, @@ -47,53 +48,50 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, - /var/log/pods/**/[0-9]*.log w, - @{run}/calico/ w, + /opt/containerd/{,**} rw, - @{run}/netns/ w, - @{run}/netns/cni-@{uuid} rw, /var/lib/cni/results/cni-loopback-@{uuid}-lo l, - @{PROC}/@{pid}/task/@{tid}/ns/net rw, - /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - /opt/containerd/{,**} rw, + /var/log/pods/**/[0-9]*.log w, - @{run}/systemd/notify w, + @{run}/calico/ w, @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + @{run}/systemd/notify w, + + /tmp/cri-containerd.apparmor.d[0-9]* rwl, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/sys/net/core/somaxconn r, - - # AppArmor within containers @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, - /tmp/cri-containerd.apparmor.d[0-9]* rwl, - /{usr/,}{s,}bin/apparmor_parser rPx, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/[0-9]*/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/[0-9]*/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + @{PROC}/@{pid}/task/@{tid}/ns/net rw, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/sys/net/core/somaxconn r, + + deny /dev/bsg/ rwkl, + deny /dev/bus/ rwkl, + deny /dev/bus/usb/ rwkl, + deny /dev/bus/usb/[0-9]*/ rwkl, + deny /dev/char/ rwkl, + deny /dev/cpu/ rwkl, + deny /dev/cpu/[0-9]*/ rwkl, + deny /dev/dma_heap/ rwkl, + deny /dev/dri/ rwkl, + deny /dev/dri/by-path/ rwkl, + deny /dev/hugepages/ rwkl, + deny /dev/input/ rwkl, + deny /dev/input/by-id/ rwkl, + deny /dev/input/by-path/ rwkl, + deny /dev/net/ rwkl, + deny /dev/snd/ rwkl, + deny /dev/snd/by-path/ rwkl, + deny /dev/vfio/ rwkl, include if exists } From 02ad72b024937445e1186683a9427111767ad018 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 15:10:34 +0200 Subject: [PATCH 113/165] Allow containerd to (u)mount cni devices, and loopback to access them. --- apparmor.d/groups/virt/cni-loopback | 3 +++ apparmor.d/groups/virt/containerd | 2 ++ 2 files changed, 5 insertions(+) diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 7e618fe6..da2cd4a0 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -11,6 +11,9 @@ profile cni-loopback @{exec_path} { include @{exec_path} mr, + + @{run}/netns/ r, + @{run}/netns/cni-@{uuid} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index a07de445..6c6746dd 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -26,8 +26,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) { mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount @{run}/netns/cni-@{uuid}, signal (receive) set=term peer=dockerd, From 682df516bf372a92ef988a2ef0bcad30f2ddafaa Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 16:09:33 +0200 Subject: [PATCH 114/165] Make calico part of cni --- apparmor.d/groups/virt/{calico => cni-calico} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename apparmor.d/groups/virt/{calico => cni-calico} (87%) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/cni-calico similarity index 87% rename from apparmor.d/groups/virt/calico rename to apparmor.d/groups/virt/cni-calico index ad021b21..934e99f0 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/cni-calico @@ -7,7 +7,7 @@ abi , include @{exec_path} = /opt/cni/bin/calico -profile calico @{exec_path} { +profile cni-calico @{exec_path} { include network inet, @@ -26,5 +26,5 @@ profile calico @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } From eb6c7548f5ffd2fe211b11b29421a193eb5b674e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Jul 2022 21:55:59 +0100 Subject: [PATCH 115/165] feat(profiles): general update. --- apparmor.d/abstractions/chromium-common | 2 + apparmor.d/abstractions/disks-read | 4 +- apparmor.d/groups/apt/apt-methods-http | 8 ++- apparmor.d/groups/apt/unattended-upgrade | 15 +++--- apparmor.d/groups/freedesktop/plymouthd | 3 ++ apparmor.d/groups/gnome/gnome-extensions-app | 2 +- .../groups/gnome/gsd-print-notifications | 4 ++ apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 4 +- .../groups/ubuntu/notify-reboot-required | 3 +- apparmor.d/groups/ubuntu/packagekitd | 2 +- .../groups/ubuntu/software-properties-gtk | 18 +++++-- apparmor.d/groups/ubuntu/ubuntu-advantage | 11 ++++ apparmor.d/groups/ubuntu/update-manager | 12 +++-- apparmor.d/groups/virt/cni-calico | 6 ++- apparmor.d/profiles-g-l/kmod | 52 ++++++++----------- apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/qemu-ga | 2 + apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/sudo | 3 ++ apparmor.d/profiles-s-z/sulogin | 2 + 21 files changed, 96 insertions(+), 62 deletions(-) diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common index a9c26ac5..f37182d7 100644 --- a/apparmor.d/abstractions/chromium-common +++ b/apparmor.d/abstractions/chromium-common @@ -39,3 +39,5 @@ owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 5e8549ab..1399c2c4 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -7,12 +7,12 @@ # The /sys/ entries probably should be tightened /dev/ r, + /dev/block/ r, + /dev/disk/*/ r, # Regular disk/partition devices - /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, - /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7f27b7d8..6ed3835a 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} { include include - # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the - # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is - # used by APT to download packages, package list, and other things using APT methods as an - # unprivileged user/group (_apt/nogroup). capability setgid, capability setuid, - signal (receive) peer=apt, signal (receive) peer=apt-get, + signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=synaptic, + signal (receive) peer=unattended-upgrade, + signal (receive) peer=update-manager, network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 14c4a8a2..fa80efa9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -27,10 +28,16 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (send) peer=apt-methods-http, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, @@ -64,23 +71,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/distro-info/* r, - /usr/share/dpkg/*table r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, - /etc/apt/preferences.d/{,**} r, - /etc/apt/sources.list.d/{,**} r, /etc/machine-id r, /var/log/unattended-upgrades/*.log rw, - /var/lib/apt/extended_states r, - /var/lib/apt/lists/{,**} r, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, - /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, /var/cache/apt/{,**} rwk, @@ -94,7 +95,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/resolvconf/resolv.conf r, - owner /tmp/#[0-9]* rw, + owner /tmp/apt-dpkg-install-*/{,*} rw, owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 352c5534..011272a2 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -26,6 +26,8 @@ profile plymouthd @{exec_path} { /usr/share/plymouth/{,**} r, /etc/default/keyboard r, + /etc/plymouth/plymouthd.conf r, + /etc/vconsole.conf r, @{run}/udev/data/+drm:* r, @{run}/udev/data/c226:* r, @@ -34,6 +36,7 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 1a63d501..d4f5d0bc 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -13,7 +13,7 @@ profile gnome-extensions-app @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gjs-console rPx, + /{usr/,}bin/gjs-console rix, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 98563afd..2cf18564 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,6 +31,10 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew}, + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index b35ae8f2..0919ba88 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -60,7 +60,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/{vendor,device,revision} r, - @{sys}/devices/virtual/net/lo/ r, + @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1637a5d7..c612f740 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -36,7 +36,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network packet dgram, dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.{DBus.Properties,NetworkManager*}, + interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*}, dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority @@ -44,7 +44,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown}, + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 91fd3a8a..0ef30e5f 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -12,7 +12,8 @@ profile notify-reboot-required @{exec_path} { @{exec_path} mr, - /{usr/,}bin/gettext rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gettext rix, /usr/share/update-notifier/notify-reboot-required r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ffa188b9..ebdb316f 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -46,7 +46,7 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown}, + member={SessionNew,PrepareForShutdown,SessionRemoved}, dbus bind bus=system name=org.freedesktop.PackageKit, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4953d5d1..1d5a0e58 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -10,7 +10,9 @@ include profile software-properties-gtk @{exec_path} { include include - include + include + include + include include include @@ -22,15 +24,25 @@ profile software-properties-gtk @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/ubuntu-advantage rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/ r, + /usr/share/python-apt/{,**} r, + /usr/share/software-properties/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, + /usr/share/X11/xkb/{,**} r, + /usr/share/xml/iso-codes/{,**} r, /etc/machine-id r, - - owner @{PROC}/@{pid}/fd/ r, + /etc/update-manager/release-upgrades r, @{sys}/devices/ r, @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 57338fed..204dc38c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -13,11 +13,22 @@ profile ubuntu-advantage @{exec_path} { include include include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + /etc/ubuntu-advantage/uaclient.conf r, + + owner /tmp/tmp[0-9a-z]*/apt.conf r, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index c2b43c28..3b173bc6 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -28,6 +28,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal (send) peer=apt-methods-http, + dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, @@ -36,13 +38,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=StartServiceByName, - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect, + dbus send bus=system path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*} + interface=org.freedesktop.DBus.{Properties,Introspectable} + member={Introspect,Get}, dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member=Get, + interface=org.freedesktop.DBus.{Properties,Introspectable} + member={Get,Introspect}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 934e99f0..fbbb304a 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -10,8 +10,10 @@ include profile cni-calico @{exec_path} { include - network inet, - network inet6, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, @{exec_path}-ipam rix, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ae8e492f..71f30ab2 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -12,22 +12,12 @@ include profile kmod @{exec_path} flags=(attach_disconnected) { include include + include - # To load/unload kernel modules - # modprobe: ERROR: could not insert '*': Operation not permitted - # - # modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove - # '*': Operation not permitted - capability sys_module, - - # For error logs to go through the syslog mechanism (as LOG_DAEMON with level LOG_NOTICE) rather - # than to standard error. - capability syslog, - - # Needed for static-nodes capability dac_override, - capability mknod, + capability sys_module, + capability syslog, unix (receive) type=stream, @@ -37,36 +27,36 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/sysctl rPx, /{usr/,}lib/modprobe.d/{,*.conf} r, - /etc/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /{usr/,}lib/modules/*/modules.* rw, + /etc/depmod.d/{,**} r, + /etc/modprobe.d/{,*.conf} r, + /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, + /var/lib/dpkg/triggers/* r, /var/tmp/dracut.*/{,**} rw, + owner /boot/System.map-* r, + owner /tmp/mkinitcpio.*/{,**} rw, + + # For local kernel build + owner /tmp/depmod.*/lib/modules/*/ r, + owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{user_build_dirs}/**/System.map r, + owner @{user_build_dirs}/**/lib/modules/*/ r, + owner @{user_build_dirs}/**/lib/modules/*/modules.* rw, + owner @{user_build_dirs}/**/lib/modules/*/kernel/{,**/} r, + owner @{user_build_dirs}/**/lib/modules/*/kernel/**/*.ko r, + + owner @{run}/tmpfiles.d/ w, + owner @{run}/tmpfiles.d/static-nodes.conf w, @{sys}/module/{,**} r, @{PROC}/cmdline r, @{PROC}/modules r, - # Initframs - owner /tmp/mkinitcpio.*/{,**} rw, - - owner @{run}/tmpfiles.d/ w, - owner @{run}/tmpfiles.d/static-nodes.conf w, - - # For local kernel build - owner /tmp/depmod.*/lib/modules/*/ r, - owner /tmp/depmod.*/lib/modules/*/modules.* rw, - owner @{user_build_dirs}/**/System.map r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/ r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/modules.* rw, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r, - owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r, - deny /apparmor/.null rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index f8115614..afbc6b00 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs-* rw, owner @{PROC}/@{uid}/fd/ r, + @{PROC}/cmdline r, @{PROC}/modules r, profile ldd { diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c5072be2..9c2550a9 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -14,6 +14,8 @@ profile qemu-ga @{exec_path} { capability net_admin, capability sys_ptrace, + ptrace peer=unconfined, + @{exec_path} mr, /{usr/,}bin/systemctl rix, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index b8671752..be940b18 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -187,7 +187,7 @@ profile run-parts @{exec_path} { /etc/modprobe.d/*.conf r, @{run}/reboot-required w, - @{run}/reboot-required.pkgs w, + @{run}/reboot-required.pkgs rw, @{PROC}/devices r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index a39f81ad..8c090bdb 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -29,6 +29,8 @@ profile sudo @{exec_path} { capability sys_ptrace, capability sys_resource, + network inet dgram, + network inet6 dgram, network netlink raw, # PAM ptrace (read), @@ -72,6 +74,7 @@ profile sudo @{exec_path} { @{run}/faillock/{,*} rwk, @{run}/resolvconf/resolv.conf r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index 05319928..dccd51f0 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -15,6 +15,8 @@ profile sulogin @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rux, + /etc/shadow r, /dev/ r, From 081308db2fa0b1118bb564cef5027700a64ca705 Mon Sep 17 00:00:00 2001 From: Jeroen Date: Mon, 18 Jul 2022 00:04:13 +0200 Subject: [PATCH 116/165] Add ZFS Event Daemon (#56) --- apparmor.d/profiles-s-z/zed | 51 +++++++++++++++++++++++++++++++++++++ apparmor.d/profiles-s-z/zfs | 6 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/zed diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed new file mode 100644 index 00000000..4f39770e --- /dev/null +++ b/apparmor.d/profiles-s-z/zed @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zed +profile zed @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + network netlink raw, + + @{exec_path} mr, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/realpath rix, + /{usr/,}bin/sort rix, + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}{local/,}lib/zfs-linux/zed.d/*.sh rix, + + /etc/zfs/zed.d/{,*} r, + /etc/zfs/zfs-list.cache/{,*} rwk, + + @{run}/zed.pid rwkl, + @{run}/zed.state rwkl, + @{run}/zfs-list.cache@* rw, + + @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + @{sys}/bus/pci/slots/ r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 1251aa57..388e569d 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -12,10 +12,14 @@ profile zfs @{exec_path} flags=(complain) { capability sys_admin, - @{exec_path} r, + @{exec_path} mr, + + /etc/zfs/zfs-list.cache/{,*} rwk, @{PROC}/@{pids}/mounts r, + @{run}/zfs-list.cache@* rw, + /dev/zfs rw, include if exists From c750cb1b776e13b1045626d6d6d19d25041f734e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Jul 2022 11:36:16 +0100 Subject: [PATCH 117/165] feat(profiles): general update. --- apparmor.d/groups/freedesktop/plymouthd | 3 ++- apparmor.d/groups/ubuntu/do-release-upgrade | 7 ++++++- apparmor.d/profiles-a-f/apparmor.systemd | 5 +++++ apparmor.d/profiles-a-f/apparmor_parser | 2 ++ 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 011272a2..78e16ddd 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -10,6 +10,7 @@ include profile plymouthd @{exec_path} { include include + include capability sys_admin, capability sys_tty_config, @@ -37,12 +38,12 @@ profile plymouthd @{exec_path} { @{sys}/class/drm/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r, + @{sys}/devices/pci[0-9]*/**/drm/renderD128/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, @{PROC}/cmdline r, - /dev/dri/card[0-9]* rw, /dev/ptmx rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 8140c18c..80ddfe97 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -15,14 +15,18 @@ profile do-release-upgrade @{exec_path} { include include + capability net_admin, + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, @@ -31,10 +35,11 @@ profile do-release-upgrade @{exec_path} { /etc/machine-id r, /etc/update-manager/{,**} r, - /var/lib/update-manager/meta-release-* rw, + /var/lib/update-manager/* rw, /var/cache/apt/pkgcache.bin{,.*} rw, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index d20aa7b6..a40c4249 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -11,6 +11,8 @@ profile apparmor.systemd @{exec_path} flags=(complain) { include include + capability mac_admin, + @{exec_path} mr, /{usr/,}{s,}bin/aa-status rPx, @@ -19,6 +21,8 @@ profile apparmor.systemd @{exec_path} flags=(complain) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/getconf rix, /{usr/,}bin/ls rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, /{usr/,}bin/systemd-detect-virt rPx, /{usr/,}bin/xargs rix, @@ -28,6 +32,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{sys}/fs/cgroup/systemd/ r, @{sys}/kernel/security/apparmor/{,**} r, + @{sys}/kernel/security/apparmor/.remove rw, @{sys}/module/apparmor/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index eb535fe5..a8886583 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -25,6 +25,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/snapd/apparmor/{,**} r, + + owner /tmp/cri-containerd.apparmor.d[0-9]* r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, @{sys}/kernel/security/apparmor/{,**} r, From 13aee74df96b0801676b8cd47a8d5032a77e7de8 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 16 Jul 2022 17:34:14 +0200 Subject: [PATCH 118/165] Various containerd fixes --- apparmor.d/groups/virt/containerd | 38 ++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 6c6746dd..10738e9d 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -16,6 +16,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_read_search, + capability dac_override, capability net_admin, capability sys_admin, @@ -23,11 +24,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, + umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount @{run}/netns/cni-@{uuid}, @@ -72,28 +75,27 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, + owner @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, - deny /dev/bsg/ rwkl, - deny /dev/bus/ rwkl, - deny /dev/bus/usb/ rwkl, - deny /dev/bus/usb/[0-9]*/ rwkl, - deny /dev/char/ rwkl, - deny /dev/cpu/ rwkl, - deny /dev/cpu/[0-9]*/ rwkl, - deny /dev/dma_heap/ rwkl, - deny /dev/dri/ rwkl, - deny /dev/dri/by-path/ rwkl, - deny /dev/hugepages/ rwkl, - deny /dev/input/ rwkl, - deny /dev/input/by-id/ rwkl, - deny /dev/input/by-path/ rwkl, - deny /dev/net/ rwkl, - deny /dev/snd/ rwkl, - deny /dev/snd/by-path/ rwkl, - deny /dev/vfio/ rwkl, + /dev/bsg/ r, + /dev/bus/ r, + /dev/char/ r, + /dev/cpu/ r, + /dev/cpu/[0-9]*/ r, + /dev/dma_heap/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, + /dev/net/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, + /dev/vfio/ r, include if exists } From 5a024900824b68788551b994705821d4fe2b7628 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 16 Jul 2022 17:38:02 +0200 Subject: [PATCH 119/165] Needed for certain containers like calico --- apparmor.d/groups/virt/containerd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 10738e9d..f1be9889 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -17,6 +17,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_read_search, capability dac_override, + capability fsetid, capability net_admin, capability sys_admin, @@ -57,7 +58,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/results/cni-loopback-@{uuid}-lo l, /var/lib/containerd/{,**} rwk, - /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, /var/log/pods/**/[0-9]*.log w, From 70aa5fdbb2a039625b08d305abdce52a2b04f936 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 16 Jul 2022 21:20:30 +0200 Subject: [PATCH 120/165] Small fixes --- apparmor.d/abstractions/disks-read | 8 ++++---- apparmor.d/groups/virt/cni-loopback | 2 +- apparmor.d/groups/virt/containerd | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 1399c2c4..178f9fa7 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -8,7 +8,7 @@ /dev/ r, /dev/block/ r, - /dev/disk/*/ r, + /dev/disk/{,*/} r, # Regular disk/partition devices /dev/{s,v}d[a-z]* rk, @@ -37,14 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, - /dev/mapper/* r, + /dev/mapper/{,*} r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, - /dev/zvol/ r, - /dev/zvol/*/ r, + /dev/zvol/{,*/} r, + /dev/*pool/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index da2cd4a0..f1e29c59 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback -profile cni-loopback @{exec_path} { +profile cni-loopback @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f1be9889..db5899a6 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -56,7 +56,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/containerd/{,**} rw, - /var/lib/cni/results/cni-loopback-@{uuid}-lo l, + /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, From e9bcd3f82041aff5d54876dc873539293549ff60 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 17 Jul 2022 14:22:13 +0200 Subject: [PATCH 121/165] Small fixes --- apparmor.d/groups/virt/cni-calico | 1 + apparmor.d/groups/virt/containerd | 2 ++ 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index fbbb304a..0f1e060e 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -24,6 +24,7 @@ profile cni-calico @{exec_path} { /var/log/calico/cni/ r, /var/log/calico/cni/cni.log rw, + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index db5899a6..cb470771 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -98,5 +98,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /dev/snd/by-path/ r, /dev/vfio/ r, + deny / r, + include if exists } From 2ec802d40dc0a91cfe373c1385a30401a1741f77 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 18 Jul 2022 14:34:05 +0200 Subject: [PATCH 122/165] Remove deny root --- apparmor.d/groups/virt/containerd | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index cb470771..db5899a6 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -98,7 +98,5 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /dev/snd/by-path/ r, /dev/vfio/ r, - deny / r, - include if exists } From 969292675227d39c242a42a8cebb7e20af47eda2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Jul 2022 23:57:25 +0100 Subject: [PATCH 123/165] feat(profiles): general update. --- .../abstractions/dbus-session-strict.d/complete | 9 +++------ apparmor.d/abstractions/lxc/start-container | 2 +- apparmor.d/groups/apt/apt | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 6 +----- apparmor.d/groups/bus/dbus-daemon | 2 ++ apparmor.d/groups/freedesktop/at-spi-bus-launcher | 1 + apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 3 ++- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-color | 11 +++-------- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 ++ apparmor.d/groups/ubuntu/software-properties-gtk | 1 + apparmor.d/profiles-g-l/hugo | 13 ++++++++++--- 13 files changed, 30 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 1dc40e4c..2bb0b4a8 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -2,13 +2,10 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (connect, send, receive, accept) - type=stream - addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, receive, send, accept) - type=stream - peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container index 9b9bdd43..9e2e8f2e 100644 --- a/apparmor.d/abstractions/lxc/start-container +++ b/apparmor.d/abstractions/lxc/start-container @@ -11,7 +11,7 @@ # currently blocked by apparmor bug mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,}, - mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, + mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 017fd58e..d81143b6 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -29,6 +29,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, + unix (receive, send) type=stream peer=(label=apt-esm-json-hook), + dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa80efa9..1961f712 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -34,11 +34,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 13411ae8..ec863a5a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -46,6 +46,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index de6d51d8..c663b666 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -17,6 +17,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (send) set=(term hup kill) peer=dbus-daemon, network inet stream, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 8b4fafa4..0fbe6c05 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -51,7 +51,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, + member={CheckPermissions,StateChanged,PropertiesChanged}, dbus bind bus=system name=org.freedesktop.GeoClue2, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 50ae01f2..6362ac80 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -25,8 +25,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=at-spi-bus-launcher, + signal (send) set=(term) peer=gsd-*, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cb04fd5d..978e949d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -124,7 +124,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, /opt/*/**/*.png r, - /snap/*/@{uid}/*.png r, + /snap/*/@{uid}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 18f0eec6..e2d9852b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,18 +18,13 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager, + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={FindDeviceByProperty,GetDevices,CreateDevice}, - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,ProfileAdded}, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 97ab7349..d44f5110 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -11,6 +11,8 @@ profile apt-esm-json-hook @{exec_path} { include include + unix (receive, send) type=stream peer=(label=apt), + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 1d5a0e58..1f0d4603 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -21,6 +21,7 @@ profile software-properties-gtk @{exec_path} { /{usr/,}bin/aplay rPx, /{usr/,}bin/apt-key rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/ubuntu-advantage rPx, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 7482a9f0..3e298ef3 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,23 +10,30 @@ include @{exec_path} = /{usr/,}bin/hugo profile hugo @{exec_path} { include + include + include network inet stream, network inet6 stream, @{exec_path} mr, - /{usr/,}bin/git rPx, + /{usr/,}bin/git rix, + /{usr/,}lib/go/bin/go rix, + /{usr/,}lib/git-core/git-remote-http rix, + /usr/share/git-core/{,**} r, /usr/share/mime/{,**} r, + /usr/share/terminfo/x/xterm-256color r, /etc/mime.types r, owner @{user_projects_dirs}/{,**} rw, owner @{user_projects_dirs}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/**/go.{mod,sum} rwk, - owner /tmp/hugo_cache/ rw, - owner /tmp/hugo_cache/**/ rw, + owner /tmp/hugo_cache/{,**} rwk, + owner /tmp/go-codehost-[0-9]* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, From 5b01f7963b9bf4072e314ecde7694047308bd642 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Jul 2022 23:58:12 +0100 Subject: [PATCH 124/165] feat(profiles): add file-roller. --- apparmor.d/profiles-a-f/file-roller | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/profiles-a-f/file-roller diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller new file mode 100644 index 00000000..e8d98bff --- /dev/null +++ b/apparmor.d/profiles-a-f/file-roller @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/file-roller +profile file-roller @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/unzip rix, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + /etc/gtk-3.0/settings.ini r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + include if exists +} \ No newline at end of file From f4dd2745d1d756e268f2e7db917d880c32ac77da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Jul 2022 00:03:01 +0100 Subject: [PATCH 125/165] feat(profiles): add software-properties-dbus. --- .../groups/ubuntu/software-properties-dbus | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/software-properties-dbus diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus new file mode 100644 index 00000000..dd542213 --- /dev/null +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/software-properties/software-properties-dbus +profile software-properties-dbus @{exec_path} { + include + include + include + include + include + + dbus bind bus=system + name=com.ubuntu.SoftwareProperties, + + @{exec_path} mr, + + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/env rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/python-apt/{,**} r, + /usr/share/distro-info/*.csv r, + /usr/share/xml/iso-codes/{,**} r, + + owner /tmp/[a-z0-9]* rw, + owner /tmp/tmp*/{,apt.conf} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file From 8fda216cc2f566b9d37468c8e7172e45f5e36c6b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Jul 2022 13:56:36 +0100 Subject: [PATCH 126/165] doc: cosmetic. --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 97c37edb..51f6a276 100644 --- a/README.md +++ b/README.md @@ -48,8 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be installed. -* Go -* rsync +* Go (build dependency only) +* rsync (build dependency only) **Archlinux** @@ -61,19 +61,18 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/tunables/xdg-user-dirs ``` -> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) +> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Debian** Build using standard Debian package build tools: ```sh -sudo apt install debhelper ubuntu-dev-tools config-package-dev golang-go apparmor-profiles rsync - +sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` -> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) +> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Partial install** From 463da2a8f4ace3ab2b6ac3a92f02eba3a676bf3a Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 18 Jul 2022 17:56:52 +0200 Subject: [PATCH 127/165] Initial support for k3s --- apparmor.d/groups/virt/k3s | 177 +++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 apparmor.d/groups/virt/k3s diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s new file mode 100644 index 00000000..9d7b02b2 --- /dev/null +++ b/apparmor.d/groups/virt/k3s @@ -0,0 +1,177 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}bin/k3s +profile k3s @{exec_path} flags=(complain) { + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability syslog, + capability sys_admin, + capability sys_resource, + + ptrace peer=@{profile_name}, + ptrace (read) peer=unconfined, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + + signal (send, receive) set=term, + + @{exec_path} mr, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/mount rPx, + /{usr/,}bin/systemd-run rix, + + # Does not seem to work. + # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04 + /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi, + /etc/alternatives/iptables rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /{usr/,}{s,}bin/iptables-save rPx -> xtables-nft-multi, + /etc/alternatives/iptables-save rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy-save rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /{usr/,}{s,}bin/iptables-restore rPx -> xtables-nft-multi, + /etc/alternatives/iptables-restore rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, + /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, + + /usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, + + /etc/machine-id r, + /etc/rancher/k3s/{,**} r, + /etc/rancher/k3s/k3s.yaml rw, + /etc/rancher/node/password r, + + /var/lib/rancher/k3s/{,**} r, + /var/lib/rancher/k3s/agent/** rw, + /var/lib/rancher/k3s/server/** rw, + /var/lib/rancher/k3s/server/db/** rwk, + + # k3s want's to basically manage all directories and create some specific files. + /var/lib/kubelet/{,**/} rw, + /var/lib/kubelet/{cpu_manager_state,memory_manager_state} r, + /var/lib/kubelet/device-plugins/{,DEPRECATION,kubelet.sock} rw, + /var/lib/kubelet/pod-resources/{kubelet.sock,[0-9]*} rw, + /var/lib/kubelet/pods/@{uuid}/containers/*/[0-9a-f]* rw, + /var/lib/kubelet/pods/@{uuid}/etc-hosts rw, + /var/lib/kubelet/pods/@{uuid}/plugins/kubernetes.io~*/{,**} rw, + /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**} rw, + /var/lib/kubelet/pods/@{uuid}/**/ca.crt rw, + /var/lib/kubelet/pods/@{uuid}/**/namespace rw, + /var/lib/kubelet/pods/@{uuid}/**/token rw, + + /var/log/containers/ r, + /var/log/containers/** rw, + /var/log/rancher/{,**} r, + /var/log/kubelet/{,**} r, + /var/log/kubernetes/{,**} r, + /var/log/kubernetes/audit/** rw, + /var/log/pods/{,**} r, + /var/log/pods/{,**/} rw, + /var/log/pods/**/[0-9]*.log rw, + + @{HOME}/.kube/cache/discovery/{,**} rw, + @{HOME}/.kube/cache/http/[0-9a-z]* rw, + @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + + @{run}/containerd/containerd.sock rw, + @{run}/systemd/notify w, + @{run}/systemd/private rw, + @{run}/systemd/resolve/resolv.conf r, + @{run}/nodeagent/ rw, + @{run}/xtables.lock rwk, + + /var/tmp/etilqs_* rw, + + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/cpuset r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/ip_tables_names r, + owner @{PROC}/@{pids}/net/ipv6_route r, + owner @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/uid_map r, + + @{PROC}/diskstats r, + @{PROC}/modules r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv4/conf/all/* rw, + @{PROC}/sys/net/ipv4/conf/default/* rw, + @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, + @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/kernel/keys/* r, + @{PROC}/sys/kernel/panic rw, + @{PROC}/sys/kernel/panic_on_oom rw, + @{PROC}/sys/kernel/panic_on_oops rw, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory rw, + @{PROC}/sys/vm/panic_on_oom r, + + @{sys}/class/net/ r, + + @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, + @{sys}/devices/system/edac/mc/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/system/node/node[0-9]*/hugepages/ r, + @{sys}/devices/system/node/node[0-9]*/hugepages/hugepages-*/nr_hugepages r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/core_id r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/{id,size,level,type,shared_cpu_map} r, + @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, + @{sys}/devices/virtual/dmi/id/product_uuid r, + + @{sys}/fs/cgroup/{,*,*/} r, + @{sys}/fs/cgroup/cgroup.subtree_control rw, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/k3s.service/* r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r, + + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + + @{sys}/module/apparmor/parameters/enabled r, + + /dev/kmsg r, + + include if exists +} From 28a3584c14adef051b08f86404ccbfb7ad6742c0 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 18 Jul 2022 17:57:15 +0200 Subject: [PATCH 128/165] Initial support for xtables-nft-multi --- apparmor.d/groups/network/xtables-nft-multi | 36 +++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/groups/network/xtables-nft-multi diff --git a/apparmor.d/groups/network/xtables-nft-multi b/apparmor.d/groups/network/xtables-nft-multi new file mode 100644 index 00000000..8a3fd424 --- /dev/null +++ b/apparmor.d/groups/network/xtables-nft-multi @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}sbin/xtables-nft-multi +profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/libnl/classid r, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, + + @{PROC}/@{pids}/net/ip_tables_names r, + + /dev/pts/[0-9]* rw, + + include if exists +} From 5af6cda32873cb806953b0a0b809a68dabc8d0d7 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 18 Jul 2022 17:58:01 +0200 Subject: [PATCH 129/165] Allow dbus messages and user database reading. --- apparmor.d/groups/virt/k3s | 1 - apparmor.d/profiles-m-r/pkttyagent | 25 +++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 9d7b02b2..184ed052 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -40,7 +40,6 @@ profile k3s @{exec_path} flags=(complain) { /{usr/,}bin/mount rPx, /{usr/,}bin/systemd-run rix, - # Does not seem to work. # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04 /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi, /etc/alternatives/iptables rPx -> xtables-nft-multi, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 72873536..3b7440e9 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,15 +13,35 @@ profile pkttyagent @{exec_path} { include capability sys_nice, + capability audit_write, ptrace (read), - signal (receive), + signal (send,receive), + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=RegisterAuthenticationAgentWithOptions, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, @{exec_path} mr, + /etc/nsswitch.conf r, + /etc/passwd r, + owner @{PROC}/@{pids}/stat r, /dev/tty rw, include if exists -} \ No newline at end of file +} From 78cfb23bff88f76a2d3e8fc4d007b6818c53166f Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 18 Jul 2022 20:23:05 +0200 Subject: [PATCH 130/165] Apply suggested fixes from PR --- apparmor.d/groups/network/xtables-nft-multi | 18 ++-- apparmor.d/groups/virt/k3s | 98 ++++++++++----------- apparmor.d/profiles-m-r/pkttyagent | 4 +- 3 files changed, 59 insertions(+), 61 deletions(-) diff --git a/apparmor.d/groups/network/xtables-nft-multi b/apparmor.d/groups/network/xtables-nft-multi index 8a3fd424..8e71ec36 100644 --- a/apparmor.d/groups/network/xtables-nft-multi +++ b/apparmor.d/groups/network/xtables-nft-multi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/xtables-nft-multi +@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { include include @@ -14,19 +14,19 @@ profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { capability net_admin, capability net_raw, - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, network netlink raw, @{exec_path} mr, /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, @{PROC}/@{pids}/net/ip_tables_names r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 184ed052..f16fa487 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -24,13 +24,13 @@ profile k3s @{exec_path} flags=(complain) { ptrace peer=@{profile_name}, ptrace (read) peer=unconfined, - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, - mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, signal (send, receive) set=term, @@ -56,20 +56,20 @@ profile k3s @{exec_path} flags=(complain) { /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, /{usr/,}{s,}bin/xtables-nft-multi rPx, - /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, + @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, - /usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, + @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r, /usr/share/mime/globs2 r, - /etc/machine-id r, - /etc/rancher/k3s/{,**} r, - /etc/rancher/k3s/k3s.yaml rw, + /etc/machine-id r, + /etc/rancher/k3s/{,**} r, + /etc/rancher/k3s/k3s.yaml rw, /etc/rancher/node/password r, - /var/lib/rancher/k3s/{,**} r, - /var/lib/rancher/k3s/agent/** rw, - /var/lib/rancher/k3s/server/** rw, + /var/lib/rancher/k3s/{,**} r, + /var/lib/rancher/k3s/agent/** rw, + /var/lib/rancher/k3s/server/** rw, /var/lib/rancher/k3s/server/db/** rwk, # k3s want's to basically manage all directories and create some specific files. @@ -85,19 +85,19 @@ profile k3s @{exec_path} flags=(complain) { /var/lib/kubelet/pods/@{uuid}/**/namespace rw, /var/lib/kubelet/pods/@{uuid}/**/token rw, - /var/log/containers/ r, - /var/log/containers/** rw, - /var/log/rancher/{,**} r, - /var/log/kubelet/{,**} r, - /var/log/kubernetes/{,**} r, + /var/log/containers/ r, + /var/log/containers/** rw, + /var/log/rancher/{,**} r, + /var/log/kubelet/{,**} r, + /var/log/kubernetes/{,**} r, /var/log/kubernetes/audit/** rw, - /var/log/pods/{,**} r, - /var/log/pods/{,**/} rw, - /var/log/pods/**/[0-9]*.log rw, + /var/log/pods/{,**} r, + /var/log/pods/{,**/} rw, + /var/log/pods/**/[0-9]*.log rw, - @{HOME}/.kube/cache/discovery/{,**} rw, - @{HOME}/.kube/cache/http/[0-9a-z]* rw, - @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + owner @{HOME}/.kube/cache/discovery/{,**} rw, + owner @{HOME}/.kube/cache/http/[0-9a-z]* rw, + owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, @{run}/containerd/containerd.sock rw, @{run}/systemd/notify w, @@ -106,36 +106,36 @@ profile k3s @{exec_path} flags=(complain) { @{run}/nodeagent/ rw, @{run}/xtables.lock rwk, - /var/tmp/etilqs_* rw, + owner /var/tmp/etilqs_[0-9a-f]* rw, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/cpuset r, - owner @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/net/dev r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/cpuset r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/net/ipv6_route r, - owner @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pids}/oom_score_adj rw, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/net/ipv6_route r, + owner @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/uid_map r, - @{PROC}/diskstats r, - @{PROC}/modules r, - @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv4/conf/all/* rw, + @{PROC}/diskstats r, + @{PROC}/modules r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv4/conf/all/* rw, @{PROC}/sys/net/ipv4/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, - @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/kernel/keys/* r, - @{PROC}/sys/kernel/panic rw, - @{PROC}/sys/kernel/panic_on_oom rw, - @{PROC}/sys/kernel/panic_on_oops rw, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory rw, - @{PROC}/sys/vm/panic_on_oom r, + @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/kernel/keys/* r, + @{PROC}/sys/kernel/panic rw, + @{PROC}/sys/kernel/panic_on_oom rw, + @{PROC}/sys/kernel/panic_on_oops rw, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory rw, + @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 3b7440e9..fb894967 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -11,6 +11,7 @@ include profile pkttyagent @{exec_path} { include include + include capability sys_nice, capability audit_write, @@ -36,9 +37,6 @@ profile pkttyagent @{exec_path} { @{exec_path} mr, - /etc/nsswitch.conf r, - /etc/passwd r, - owner @{PROC}/@{pids}/stat r, /dev/tty rw, From 5565217c91d33b0d5cc16b826c480aa0ca51e752 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 14:08:18 +0200 Subject: [PATCH 131/165] Move xtables profile to child profile of k3s. --- apparmor.d/groups/network/xtables-nft-multi | 36 ------------ apparmor.d/groups/virt/k3s | 65 ++++++++++++--------- 2 files changed, 38 insertions(+), 63 deletions(-) delete mode 100644 apparmor.d/groups/network/xtables-nft-multi diff --git a/apparmor.d/groups/network/xtables-nft-multi b/apparmor.d/groups/network/xtables-nft-multi deleted file mode 100644 index 8e71ec36..00000000 --- a/apparmor.d/groups/network/xtables-nft-multi +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi -profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, - - @{PROC}/@{pids}/net/ip_tables_names r, - - /dev/pts/[0-9]* rw, - - include if exists -} diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index f16fa487..4ef82b9c 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -9,9 +9,9 @@ include @{exec_path} = /{usr/,}{local/,}bin/k3s profile k3s @{exec_path} flags=(complain) { include - include - include include + include + include capability chown, capability dac_override, @@ -39,22 +39,7 @@ profile k3s @{exec_path} flags=(complain) { /{usr/,}bin/kmod rPx, /{usr/,}bin/mount rPx, /{usr/,}bin/systemd-run rix, - - # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04 - /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi, - /etc/alternatives/iptables rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/iptables-legacy rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/xtables-nft-multi rPx, - - /{usr/,}{s,}bin/iptables-save rPx -> xtables-nft-multi, - /etc/alternatives/iptables-save rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/iptables-legacy-save rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/xtables-nft-multi rPx, - - /{usr/,}{s,}bin/iptables-restore rPx -> xtables-nft-multi, - /etc/alternatives/iptables-restore rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, - /{usr/,}{s,}bin/xtables-nft-multi rPx, + /{usr/,}{s,}bin/xtables-nft-multi rCx -> xtables-nft-multi, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, @@ -141,17 +126,17 @@ profile k3s @{exec_path} flags=(complain) { @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, @{sys}/devices/system/edac/mc/ r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/present{,/} r, + + @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/ r, - @{sys}/devices/system/node/node[0-9]*/meminfo r, - @{sys}/devices/system/node/node[0-9]*/hugepages/ r, - @{sys}/devices/system/node/node[0-9]*/hugepages/hugepages-*/nr_hugepages r, - @{sys}/devices/system/cpu/cpu[0-9]*/topology/core_id r, - @{sys}/devices/system/cpu/cpu[0-9]*/topology/physical_package_id r, - @{sys}/devices/system/cpu/cpu[0-9]*/cache/ r, - @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/{id,size,level,type,shared_cpu_map} r, - @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, - @{sys}/devices/virtual/dmi/id/product_uuid r, + @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r, + @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r, + @{sys}/devices/virtual/dmi/id/* r, @{sys}/fs/cgroup/{,*,*/} r, @{sys}/fs/cgroup/cgroup.subtree_control rw, @@ -172,5 +157,31 @@ profile k3s @{exec_path} flags=(complain) { /dev/kmsg r, + profile xtables-nft-multi flags=(complain) { + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + /{usr/,}{s,}bin/xtables-nft-multi mr, + + /etc/libnl/classid r, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, + + @{PROC}/@{pids}/net/ip_tables_names r, + + /dev/pts/[0-9]* rw, +} + include if exists } From 3e006e3c763cdfb192651dce94b0e91a6b26875c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 14:34:31 +0200 Subject: [PATCH 132/165] Fix for calico unable to create network namespace. --- apparmor.d/groups/virt/cni-calico | 4 +- apparmor.d/groups/virt/cni-loopback | 6 ++- apparmor.d/groups/virt/containerd | 75 +++++++++++++++-------------- apparmor.d/groups/virt/k3s | 1 + 4 files changed, 48 insertions(+), 38 deletions(-) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 0f1e060e..95ae9b07 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -7,13 +7,14 @@ abi , include @{exec_path} = /opt/cni/bin/calico -profile cni-calico @{exec_path} { +profile cni-calico @{exec_path} flags=(attach_disconnected) { include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, @{exec_path}-ipam rix, @@ -26,6 +27,7 @@ profile cni-calico @{exec_path} { @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, + @{run}/netns/cni-@{uuid} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index f1e29c59..8567a276 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -10,9 +10,13 @@ include profile cni-loopback @{exec_path} flags=(attach_disconnected) { include + network netlink raw, + @{exec_path} mr, - @{run}/netns/ r, + / r, + + @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index db5899a6..0de0b7b3 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -37,37 +37,40 @@ profile containerd @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=dockerd, - @{exec_path} mr, - /{usr/,}{s,}bin/apparmor_parser rPx, + @{exec_path} mr, + /{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, - /{usr/,}bin/kmod rPx, - /{usr/,}bin/unpigz rPUx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + / r, + + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, - /opt/cni/bin/loopback rPx, - /opt/cni/bin/portmap rPx, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, /opt/cni/bin/bandwidth rPx, - /opt/cni/bin/calico rPx, + /opt/cni/bin/calico rPx, /opt/containerd/{,**} rw, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, + /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, /var/log/pods/**/[0-9]*.log w, - @{run}/calico/ w, - @{run}/containerd/{,**} rwk, + @{run}/calico/ w, + @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, - @{run}/netns/ w, - @{run}/netns/cni-@{uuid} rw, - @{run}/systemd/notify w, + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d[0-9]* rwl, @@ -76,27 +79,27 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/sys/net/core/somaxconn r, - /dev/bsg/ r, - /dev/bus/ r, - /dev/char/ r, - /dev/cpu/ r, - /dev/cpu/[0-9]*/ r, - /dev/dma_heap/ r, - /dev/dri/ r, - /dev/dri/by-path/ r, - /dev/hugepages/ r, - /dev/input/ r, - /dev/input/by-id/ r, - /dev/input/by-path/ r, - /dev/net/ r, - /dev/snd/ r, - /dev/snd/by-path/ r, - /dev/vfio/ r, + /dev/bsg/ r, + /dev/bus/ r, + /dev/char/ r, + /dev/cpu/ r, + /dev/cpu/[0-9]*/ r, + /dev/dma_heap/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, + /dev/net/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, + /dev/vfio/ r, include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 4ef82b9c..8b56278a 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -131,6 +131,7 @@ profile k3s @{exec_path} flags=(complain) { @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, @{sys}/devices/system/cpu/present{,/} r, + @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/ r, From c84455cca4c28e2527ed40be8ea0777778bbdb40 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 14:48:57 +0200 Subject: [PATCH 133/165] Fixes for container network creation. --- apparmor.d/groups/virt/cni-calico | 7 +++++++ apparmor.d/groups/virt/cni-loopback | 3 +++ apparmor.d/groups/virt/containerd | 3 +++ 3 files changed, 13 insertions(+) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 95ae9b07..cf653b4d 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -10,6 +10,9 @@ include profile cni-calico @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + capability net_admin, + network inet dgram, network inet6 dgram, network inet stream, @@ -18,6 +21,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{exec_path}-ipam rix, + + / r, /etc/cni/net.d/{,**} r, @@ -29,6 +34,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, + /proc/sys/net/ipv4/ip_forward rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 8567a276..5e432a94 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -10,6 +10,9 @@ include profile cni-loopback @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 0de0b7b3..83101f90 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -18,6 +18,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability dac_override, capability fsetid, + capability fowner, capability net_admin, capability sys_admin, @@ -58,8 +59,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/containerd/{,**} rw, + /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, + /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0 /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, From a3415dc42c655d0154525830fe21b717b7ec2484 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 14:52:32 +0200 Subject: [PATCH 134/165] Typo and calico proc. --- apparmor.d/groups/virt/cni-calico | 4 +++- apparmor.d/groups/virt/containerd | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index cf653b4d..7e5b0b73 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -34,7 +34,9 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, - /proc/sys/net/ipv4/ip_forward rw, + @{PROC}/sys/net/ipv4/ip_forward rw, + @{PROC}/sys/net/ipv4/{conf,neigh}/cali[0-9a-z]*/* rw, + @{PROC}/sys/net/ipv6/{conf,neigh}/cali[0-9a-z]*/* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 83101f90..89196c10 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -62,7 +62,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, - /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0 + /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, From 2deb2a48a6df93cadad474933b75ee2d36e9f5f4 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 15:00:39 +0200 Subject: [PATCH 135/165] Fix name range. --- apparmor.d/groups/virt/containerd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 89196c10..3ecacd9d 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -61,8 +61,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, - /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, - /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0, + /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, + /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, From 560250cf5f78116a07c818a6b83c24d2c6e7464e Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 15:08:05 +0200 Subject: [PATCH 136/165] Fix mode --- apparmor.d/groups/virt/containerd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 3ecacd9d..99b9f738 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -62,7 +62,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, - /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0, + /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, From 8f81a39df1c2d54356b691403cdbd1d7f1c0171c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 17:10:53 +0200 Subject: [PATCH 137/165] Support read AppArmor profiles --- apparmor.d/groups/virt/k3s | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 8b56278a..38a8f46f 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -153,6 +153,7 @@ profile k3s @{exec_path} flags=(complain) { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, From c03c6244723f5919118b11b68acbd5af4dcd6750 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 17:14:32 +0200 Subject: [PATCH 138/165] Allow signals from containerd to calico --- apparmor.d/groups/virt/cni-calico | 2 ++ apparmor.d/groups/virt/containerd | 1 + 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 7e5b0b73..a79fe660 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -19,6 +19,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal (receive) set=kill peer=containerd, + @{exec_path} mr, @{exec_path}-ipam rix, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 99b9f738..79806613 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -37,6 +37,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { umount @{run}/netns/cni-@{uuid}, signal (receive) set=term peer=dockerd, + signal (send) set=kill peer=cni-calico, @{exec_path} mr, /{usr/,}{s,}bin/apparmor_parser rPx, From a1f4dbee50a6ccbd2503615b6d82e3f132c81cc4 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 21:58:27 +0200 Subject: [PATCH 139/165] First batch of cleanups based on PR comments. --- apparmor.d/groups/virt/cni-calico | 5 ++--- apparmor.d/groups/virt/k3s | 8 +++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a79fe660..68467671 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -36,9 +36,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, - @{PROC}/sys/net/ipv4/ip_forward rw, - @{PROC}/sys/net/ipv4/{conf,neigh}/cali[0-9a-z]*/* rw, - @{PROC}/sys/net/ipv6/{conf,neigh}/cali[0-9a-z]*/* rw, + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 38a8f46f..fa2d75be 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -80,9 +80,7 @@ profile k3s @{exec_path} flags=(complain) { /var/log/pods/{,**/} rw, /var/log/pods/**/[0-9]*.log rw, - owner @{HOME}/.kube/cache/discovery/{,**} rw, - owner @{HOME}/.kube/cache/http/[0-9a-z]* rw, - owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + owner @{HOME}/.kube/** rw, @{run}/containerd/containerd.sock rw, @{run}/systemd/notify w, @@ -109,8 +107,8 @@ profile k3s @{exec_path} flags=(complain) { @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv4/conf/all/* rw, - @{PROC}/sys/net/ipv4/conf/default/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/kernel/keys/* r, From dca33292f7358e20c885bd3f7a809f3d8897335c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 15:58:30 +0200 Subject: [PATCH 140/165] Update ruleset for clean installation. --- apparmor.d/groups/virt/k3s | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index fa2d75be..e403ba0e 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -14,15 +14,18 @@ profile k3s @{exec_path} flags=(complain) { include capability chown, + capability kill, capability dac_override, capability dac_read_search, capability net_admin, capability syslog, capability sys_admin, + capability sys_ptrace, capability sys_resource, ptrace peer=@{profile_name}, ptrace (read) peer=unconfined, + ptrace (read) peer=cri-containerd.apparmor.d, network inet dgram, network inet6 dgram, @@ -34,6 +37,7 @@ profile k3s @{exec_path} flags=(complain) { umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, signal (send, receive) set=term, + signal (send) set=kill peer=unconfined, @{exec_path} mr, /{usr/,}bin/kmod rPx, @@ -48,27 +52,11 @@ profile k3s @{exec_path} flags=(complain) { /usr/share/mime/globs2 r, /etc/machine-id r, - /etc/rancher/k3s/{,**} r, - /etc/rancher/k3s/k3s.yaml rw, - /etc/rancher/node/password r, + /etc/rancher/{,**} rw, - /var/lib/rancher/k3s/{,**} r, - /var/lib/rancher/k3s/agent/** rw, - /var/lib/rancher/k3s/server/** rw, - /var/lib/rancher/k3s/server/db/** rwk, - - # k3s want's to basically manage all directories and create some specific files. - /var/lib/kubelet/{,**/} rw, - /var/lib/kubelet/{cpu_manager_state,memory_manager_state} r, - /var/lib/kubelet/device-plugins/{,DEPRECATION,kubelet.sock} rw, - /var/lib/kubelet/pod-resources/{kubelet.sock,[0-9]*} rw, - /var/lib/kubelet/pods/@{uuid}/containers/*/[0-9a-f]* rw, - /var/lib/kubelet/pods/@{uuid}/etc-hosts rw, - /var/lib/kubelet/pods/@{uuid}/plugins/kubernetes.io~*/{,**} rw, - /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**} rw, - /var/lib/kubelet/pods/@{uuid}/**/ca.crt rw, - /var/lib/kubelet/pods/@{uuid}/**/namespace rw, - /var/lib/kubelet/pods/@{uuid}/**/token rw, + /var/lib/kubelet/{,**} rw, + /var/lib/rancher/k3s/data/.lock rwk, + /var/lib/rancher/k3s/server/db/{,**} rwk, /var/log/containers/ r, /var/log/containers/** rw, @@ -93,6 +81,8 @@ profile k3s @{exec_path} flags=(complain) { owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/limits r, owner @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/net/dev r, @@ -104,6 +94,7 @@ profile k3s @{exec_path} flags=(complain) { owner @{PROC}/@{pids}/uid_map r, @{PROC}/diskstats r, + @{PROC}/loadavg r, @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/core/somaxconn r, @@ -117,6 +108,7 @@ profile k3s @{exec_path} flags=(complain) { @{PROC}/sys/kernel/panic_on_oops rw, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/threads-max r, @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, From d6d9c943aefe986effb9331929104f1a8a305c1b Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 16:00:06 +0200 Subject: [PATCH 141/165] Add missing permission --- apparmor.d/groups/virt/k3s | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index e403ba0e..d8d5180c 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -55,6 +55,7 @@ profile k3s @{exec_path} flags=(complain) { /etc/rancher/{,**} rw, /var/lib/kubelet/{,**} rw, + /var/lib/rancher/{,**} rw, /var/lib/rancher/k3s/data/.lock rwk, /var/lib/rancher/k3s/server/db/{,**} rwk, From 61eab33cd8d8a34902e3d8d5c0bbefa2d2036dca Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 16:03:54 +0200 Subject: [PATCH 142/165] Add ptrace subprofile --- apparmor.d/groups/virt/k3s | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index d8d5180c..293e24d8 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -24,8 +24,7 @@ profile k3s @{exec_path} flags=(complain) { capability sys_resource, ptrace peer=@{profile_name}, - ptrace (read) peer=unconfined, - ptrace (read) peer=cri-containerd.apparmor.d, + ptrace (read) peer={cri-containerd.apparmor.d,k3s//xtables-nft-multi,unconfined}, network inet dgram, network inet6 dgram, @@ -149,6 +148,7 @@ profile k3s @{exec_path} flags=(complain) { @{sys}/module/apparmor/parameters/enabled r, /dev/kmsg r, + /dev/pts/[0-9]* rw, profile xtables-nft-multi flags=(complain) { include From 130c5624880e86bad40e7ead5c4d07f25d555f2a Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 16:46:01 +0200 Subject: [PATCH 143/165] Allow containerd signal from k3s --- apparmor.d/groups/virt/containerd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 79806613..bdbc10fe 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -36,7 +36,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount @{run}/netns/cni-@{uuid}, - signal (receive) set=term peer=dockerd, + signal (receive) set=term peer={dockerd,k3s}, signal (send) set=kill peer=cni-calico, @{exec_path} mr, From b404d7e4c463fa94f5527820d6450586d0369af0 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 16:46:34 +0200 Subject: [PATCH 144/165] Move xtables-nft to separate profile --- apparmor.d/groups/virt/cni-portmap | 7 ++++++ apparmor.d/groups/virt/cni-xtables-nft | 34 ++++++++++++++++++++++++++ apparmor.d/groups/virt/k3s | 33 +++++-------------------- 3 files changed, 47 insertions(+), 27 deletions(-) create mode 100644 apparmor.d/groups/virt/cni-xtables-nft diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 38fec593..0c83c88a 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -10,7 +10,14 @@ include profile cni-portmap @{exec_path} { include + capability net_admin, + + network netlink raw, + @{exec_path} mr, + /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, + + @{PROC}/sys/net/ipv4/conf/cali[0-9a-z]*/route_localnet rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft new file mode 100644 index 00000000..45d2820a --- /dev/null +++ b/apparmor.d/groups/virt/cni-xtables-nft @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi +profile cni-xtables-nft flags=(complain) { + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/libnl/classid r, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, + + @{PROC}/@{pids}/net/ip_tables_names r, + + /dev/pts/[0-9]* rw, +} diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 293e24d8..423e79d6 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -38,11 +38,15 @@ profile k3s @{exec_path} flags=(complain) { signal (send, receive) set=term, signal (send) set=kill peer=unconfined, + unix (bind,listen) type=stream addr=@xtables, + @{exec_path} mr, /{usr/,}bin/kmod rPx, /{usr/,}bin/mount rPx, /{usr/,}bin/systemd-run rix, - /{usr/,}{s,}bin/xtables-nft-multi rCx -> xtables-nft-multi, + /{usr/,}bin/{nano,emacs,ed} rPUx, + /{usr/,}bin/vim{,.basic} rPUx, + /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, @@ -78,6 +82,7 @@ profile k3s @{exec_path} flags=(complain) { @{run}/xtables.lock rwk, owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /tmp/kubectl-edit-[0-9]*.yaml rw, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, @@ -150,31 +155,5 @@ profile k3s @{exec_path} flags=(complain) { /dev/kmsg r, /dev/pts/[0-9]* rw, - profile xtables-nft-multi flags=(complain) { - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - /{usr/,}{s,}bin/xtables-nft-multi mr, - - /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, - - @{PROC}/@{pids}/net/ip_tables_names r, - - /dev/pts/[0-9]* rw, -} - include if exists } From 266d5c6dc0a8039cfae9c1593b5af3e69a618394 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 21 Jul 2022 16:50:55 +0200 Subject: [PATCH 145/165] Add IPV6 --- apparmor.d/groups/virt/cni-portmap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 0c83c88a..05d9e31e 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -17,7 +17,7 @@ profile cni-portmap @{exec_path} { @{exec_path} mr, /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, - @{PROC}/sys/net/ipv4/conf/cali[0-9a-z]*/route_localnet rw, + @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, From eb87e035b818a4693ccaa11f50241c6e21d34134 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 17:09:36 +0200 Subject: [PATCH 146/165] Initial containerd-shim-runc support --- apparmor.d/groups/virt/containerd | 3 +- .../groups/virt/containerd-shim-runc-v2 | 43 +++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/virt/containerd-shim-runc-v2 diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index bdbc10fe..3b8e473f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -29,7 +30,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { network netlink raw, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, - mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 new file mode 100644 index 00000000..d603f646 --- /dev/null +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/containerd-shim-runc-v2 +profile containerd-shim-runc-v2 @{exec_path} flags=(complain,attach_disconnected) { + include + + capability dac_read_search, + capability dac_override, + capability net_admin, + capability sys_admin, + capability sys_resource, + + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/, + + @{exec_path} mrix, + /{usr/,}{s,}bin/runc rPUx, + + /tmp/runc-process[0-9]* rw, + + @{run}/containerd/containerd.sock.ttrpc rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stderr rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stdout rw, + @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/{,*} rw, + @{run}/containerd/s/[0-9a-z]* rw, + @{run}/secrets/kubernetes.io/serviceaccount/*/token w, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/fs/cgroup/{,**} rw, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} From 137433ce6edd6dd45386b06f0d69593ff4a48602 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 18:10:01 +0200 Subject: [PATCH 147/165] dbus to NetworkManager --- apparmor.d/groups/ubuntu/packagekitd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ebdb316f..f57c8d85 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, + member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}, dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties From 55bd85796c96f7af96502f5ab3cc70ee4783a6ac Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 20:02:55 +0200 Subject: [PATCH 148/165] packagekitd dbus updates --- apparmor.d/groups/ubuntu/packagekitd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index f57c8d85..37de8341 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -46,7 +46,7 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved}, + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved}, dbus bind bus=system name=org.freedesktop.PackageKit, From 48c023d4bd27fed59c4d5f886a7b1229f300fe32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 20:15:02 +0100 Subject: [PATCH 149/165] feat(profiles): containerd support for docker & cosmetic. --- apparmor.d/groups/virt/containerd | 20 +++++++++---------- .../groups/virt/containerd-shim-runc-v2 | 18 +++++++++++++---- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 3b8e473f..3f0ba0c6 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -10,10 +10,10 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} flags=(attach_disconnected) { include - include - include - include include + include + include + include capability chown, capability dac_read_search, @@ -47,18 +47,18 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, - / r, - - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, - /etc/containerd/*.toml r, - /opt/cni/bin/loopback rPx, /opt/cni/bin/portmap rPx, /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, + / r, + + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, + /etc/containerd/*.toml r, + /opt/containerd/{,**} rw, /var/lib/cni/{,**/} w, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index d603f646..81a19d24 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only @@ -9,9 +10,10 @@ include @{exec_path} = /{usr/,}bin/containerd-shim-runc-v2 profile containerd-shim-runc-v2 @{exec_path} flags=(complain,attach_disconnected) { include + include - capability dac_read_search, capability dac_override, + capability dac_read_search, capability net_admin, capability sys_admin, capability sys_resource, @@ -20,20 +22,28 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(complain,attach_disconnected umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/, @{exec_path} mrix, + /{usr/,}{s,}bin/runc rPUx, /tmp/runc-process[0-9]* rw, + /tmp/pty[0-9]*/ rw, + /tmp/pty[0-9]*/pty.sock rw, + @{run}/containerd/ rw, @{run}/containerd/containerd.sock.ttrpc rw, @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stderr rw, @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stdout rw, @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/{,*} rw, - @{run}/containerd/s/[0-9a-z]* rw, + @{run}/containerd/s/{,[0-9a-z]*} rw, + + @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/daemon/io.containerd.*/{,**} rw, @{run}/secrets/kubernetes.io/serviceaccount/*/token w, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/fs/cgroup/{,**} rw, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/oom_score_adj rw, From 595a27560fdb08880d167b6bc35ec6d5e301ece2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 20:17:03 +0100 Subject: [PATCH 150/165] feat(profiles): add mullvad profiles. --- apparmor.d/groups/network/mullvad-daemon | 54 +++++++++++++++++ apparmor.d/groups/network/mullvad-gui | 75 ++++++++++++++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 131 insertions(+) create mode 100644 apparmor.d/groups/network/mullvad-daemon create mode 100644 apparmor.d/groups/network/mullvad-gui diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon new file mode 100644 index 00000000..4f7fe0cc --- /dev/null +++ b/apparmor.d/groups/network/mullvad-daemon @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" +profile mullvad-daemon @{exec_path} { + include + include + + capability dac_override, + capability net_admin, + capability net_raw, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network netlink dgram, + + mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + + @{exec_path} mr, + + "/opt/Mullvad VPN/resources/*" r, + + /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/*.json rw, + /etc/resolv.conf rw, + /etc/resolv.conf.mullvadbackup rw, + + /var/cache/mullvad-vpn/{,*} rw, + /var/log/mullvad-vpn/{,*} rw, + + @{run}/mullvad-vpn rw, + @{run}/NetworkManager/resolv.conf r, + + @{sys}/fs/cgroup/net_cls/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui new file mode 100644 index 00000000..a602dbfe --- /dev/null +++ b/apparmor.d/groups/network/mullvad-gui @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" +profile mullvad-gui @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + capability sys_chroot, + capability sys_ptrace, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mrix, + + "/opt/Mullvad VPN/*.so*" rm, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gsettings rix, + /{usr/,}bin/xdg-open rPx, + + "/opt/Mullvad VPN/{,**}" r, + /usr/share/themes/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/libva.conf r, + /var/lib/dbus/machine-id r, + + owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, + + owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, + + @{PROC}/ r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{uid}/cmdline r, + owner @{PROC}/@{uid}/fd/ r, + owner @{PROC}/@{uid}/cgroup r, + owner @{PROC}/@{uid}/gid_map w, + owner @{PROC}/@{uid}/oom_score_adj w, + owner @{PROC}/@{uid}/setgroups w, + owner @{PROC}/@{uid}/stat r, + owner @{PROC}/@{uid}/statm r, + owner @{PROC}/@{uid}/task/ r, + owner @{PROC}/@{uid}/task/@{tid}/status r, + owner @{PROC}/@{uid}/uid_map w, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 0e115545..d4886101 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -95,6 +95,8 @@ mke2fs complain ModemManager attach_disconnected,complain molly-guard complain mount complain +mullvad-daemon complain +mullvad-gui complain nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain From 58b96a7ba930acec9fb45e313676f873048bd8b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 22:31:59 +0100 Subject: [PATCH 151/165] feat(profiles): add aptd profile. --- apparmor.d/groups/apt/apt | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index d81143b6..02cfe59a 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get +@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -15,6 +15,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { include include include + include + include capability chown, capability dac_override, @@ -31,14 +33,12 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix (receive, send) type=stream peer=(label=apt-esm-json-hook), - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit), + dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*} + interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.PackageKit - member=StateHasChanged + interface=org.freedesktop.{DBus.Introspectable,PackageKit} + member={StateHasChanged,Introspect} peer=(name=org.freedesktop.PackageKit), dbus send bus=system path=/org/freedesktop/login[0-9] @@ -46,8 +46,22 @@ profile apt @{exec_path} flags=(attach_disconnected) { member=Inhibit peer=(name=org.freedesktop.login[0-9]), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus{,.Introspectable} + member={RequestName,GetConnectionUnixProcessID,Introspect} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority} + member={CheckAuthorization,Introspect}, + + dbus bind bus=system + name= org.debian.apt, + @{exec_path} mr, + /{usr/,}{s,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/echo rix, @@ -94,6 +108,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { # For changelogs /{usr/,}bin/sensible-pager rCx -> pager, + /usr/share/xml/iso-codes/{,**} r, + /etc/apt/sources.list rwk, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -125,8 +141,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner /tmp/apt.conf.* rw, owner /tmp/apt.data.* rw, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, /dev/ptmx rw, From 177d27d94cff5a6e3591b120807e1fb95632a2db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 22:37:17 +0100 Subject: [PATCH 152/165] feat(profiles): general update. --- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 4 ++ apparmor.d/groups/freedesktop/plymouthd | 6 +- apparmor.d/groups/freedesktop/xorg | 10 +++ apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-control-center | 65 +++---------------- apparmor.d/groups/gnome/gnome-keyring-daemon | 5 ++ apparmor.d/groups/gnome/gsd-color | 6 +- apparmor.d/groups/gnome/gsd-power | 5 +- .../groups/gnome/gsd-print-notifications | 3 + apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/gvfs/gvfsd-dnssd | 5 ++ .../groups/ubuntu/software-properties-dbus | 19 +++++- .../groups/ubuntu/software-properties-gtk | 27 +++++++- apparmor.d/profiles-a-f/boltd | 4 +- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/needrestart | 4 +- apparmor.d/profiles-m-r/power-profiles-daemon | 6 +- apparmor.d/profiles-s-z/system-config-printer | 3 +- 19 files changed, 106 insertions(+), 73 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index da7c5a33..444e83c8 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.{DBus.Properties,ColorManager}, + interface=org.freedesktop.{DBus.Properties,ColorManager*}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 0fbe6c05..37871075 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -53,6 +53,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.NetworkManager member={CheckPermissions,StateChanged,PropertiesChanged}, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus bind bus=system name=org.freedesktop.GeoClue2, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 78e16ddd..2cab9318 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -32,13 +32,13 @@ profile plymouthd @{exec_path} { @{run}/udev/data/+drm:* r, @{run}/udev/data/c226:* r, + @{run}/udev/data/c29:* r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r, - @{sys}/devices/pci[0-9]*/**/drm/renderD128/uevent r, + @{sys}/class/graphics/ r, + @{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index ab5783ba..090e2ee8 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -13,6 +13,7 @@ include @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -40,6 +41,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} + interface=org.freedesktop.{DBus.Properties,login1.Session} + member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.login1.Session + member=PauseDevice, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 5247d407..548b699f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=CreateSession, + member={CreateSession,ReleaseSession}, @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1efb4649..c6c3ef91 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,9 +10,8 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include @@ -35,54 +34,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, - dbus send bus=system path=/org/freedesktop{,ModemManager[0-9],UDisks2} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus send bus=system path=/net/reactivated/Fprint/Manager - interface=net.reactivated.Fprint.Manager - member=GetDevices, - - dbus send bus=system path=/net/reactivated/Fprint/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, - - dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={ListCachedUsers,FindUserById}, - - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/hostname[0-9] - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetPermissions, - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, - - dbus send bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.DBus.Properties - member={GetAll,Get}, - @{exec_path} mr, /{usr/,}bin/{,b,d,rb}ash rUx, @@ -101,7 +52,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, - /snap/*/[0-9]*/*.png r, + /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, @@ -109,12 +60,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, + /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, - /usr/share/ubuntu/applications/ r, + /usr/share/ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -135,9 +87,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -145,10 +99,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, - @{run}/systemd/users/@{uid} r, + @{run}/cups/cups.sock rw, + @{run}/samba/ rw, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, - @{run}/cups/cups.sock rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0c245569..85b6e24b 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,6 +19,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=GetSession diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index e2d9852b..3f14d3ea 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,10 +18,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus (send, receive) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager, + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} + interface=org.freedesktop.ColorManager*, - dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 6a09314b..557146a9 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -92,8 +92,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/cgroup r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 2cf18564..cf9a4654 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,6 +31,9 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew}, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 8191ba33..ce6051e1 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -27,6 +27,7 @@ profile tracker-miner @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, /usr/share/ubuntu/applications/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index c7e81148..e6659825 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -18,6 +18,11 @@ profile gvfsd-dnssd @{exec_path} { interface=org.freedesktop.Avahi.Server member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow}, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index dd542213..0bea79d9 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -10,9 +10,23 @@ include profile software-properties-dbus @{exec_path} { include include - include - include include + include + include + include + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, dbus bind bus=system name=com.ubuntu.SoftwareProperties, @@ -31,6 +45,7 @@ profile software-properties-dbus @{exec_path} { owner /tmp/tmp*/{,apt.conf} rw, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 1f0d4603..f5e7e6d9 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,8 +16,22 @@ profile software-properties-gtk @{exec_path} { include include + dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager} + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + @{exec_path} mr, + /{usr/,}bin/ r, + /{usr/,}bin/aplay rPx, /{usr/,}bin/apt-key rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -25,25 +39,36 @@ profile software-properties-gtk @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/ubuntu-advantage rPx, + /usr/share/distro-info/*.csv r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/gtk-3.0/settings.ini r, /etc/machine-id r, /etc/update-manager/release-upgrades r, + /var/lib/snapd/desktop/icons/ r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + owner /tmp/[a-z0-9]* rw, + owner /tmp/tmp*/{,apt.conf} rw, + @{sys}/devices/ r, @{sys}/devices/**/ r, @{sys}/devices/**/modalias r, + @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index a98cdfa7..e46ecbe3 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{libexec}/boltd -profile boltd @{exec_path} { +profile boltd @{exec_path} flags=(attach_disconnected) { include + include include capability net_admin, @@ -21,6 +22,7 @@ profile boltd @{exec_path} { owner @{run}/boltd/{,**} rw, + @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 3e298ef3..d771789d 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -32,7 +32,7 @@ profile hugo @{exec_path} { owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner @{user_projects_dirs}/**/go.{mod,sum} rwk, - owner /tmp/hugo_cache/{,**} rwk, + owner /tmp/hugo_cache/{,**} rwkl, owner /tmp/go-codehost-[0-9]* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 6e0aeef5..02f53ffa 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -28,6 +28,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/fail2ban-server rPx, /{usr/,}bin/locale rix, /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/sed rix, /{usr/,}bin/stty rix, /{usr/,}bin/systemctl rPx, /{usr/,}bin/systemd-detect-virt rPx, @@ -37,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/needrestart/iucode-scan-versions rPx, /usr/share/debconf/frontend rix, + /{usr/,}bin/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -48,8 +50,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/cgroup r, @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index c9d803ba..3ec18665 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -25,9 +25,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=RequestName, + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties - member=GetAll, + member={GetAll,Set}, dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index bbcb943e..b9c388c4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -60,7 +60,8 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-* rw, @{run}/cups/cups.sock rw, owner /tmp/* rw, From 7aca29b2449828e0a6cf9fc0a8fda8fcac74a9ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 22:40:06 +0100 Subject: [PATCH 153/165] feat(profiles): initial snap support. --- apparmor.d/profiles-s-z/snap | 48 ++++++ .../snap-device-helper | 0 apparmor.d/profiles-s-z/snap-discard-ns | 26 ++++ apparmor.d/profiles-s-z/snap-failure | 16 ++ apparmor.d/profiles-s-z/snap-seccomp | 30 ++++ apparmor.d/profiles-s-z/snap-update-ns | 31 ++++ apparmor.d/profiles-s-z/snapd | 140 ++++++++++++++++++ dists/flags/main.flags | 6 + 8 files changed, 297 insertions(+) create mode 100644 apparmor.d/profiles-s-z/snap rename apparmor.d/{groups/ubuntu => profiles-s-z}/snap-device-helper (100%) create mode 100644 apparmor.d/profiles-s-z/snap-discard-ns create mode 100644 apparmor.d/profiles-s-z/snap-failure create mode 100644 apparmor.d/profiles-s-z/snap-seccomp create mode 100644 apparmor.d/profiles-s-z/snap-update-ns create mode 100644 apparmor.d/profiles-s-z/snapd diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap new file mode 100644 index 00000000..38567f5c --- /dev/null +++ b/apparmor.d/profiles-s-z/snap @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap +profile snap @{exec_path} { + include + include + include + include + + @{exec_path} mrix, + + /snap/{,**} rw, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd r, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk,# + + owner @{HOME}/snap/{,**} rw, + + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + + @{run}/snapd.socket rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper similarity index 100% rename from apparmor.d/groups/ubuntu/snap-device-helper rename to apparmor.d/profiles-s-z/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns new file mode 100644 index 00000000..31d36f25 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns +profile snap-discard-ns @{exec_path} { + include + + capability setgid, + + @{exec_path} mr, + + / r, + @{run}/ r, + @{run}/snapd/ r, + @{run}/snapd/lock/ r, + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/ r, + @{run}/snapd/ns/* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure new file mode 100644 index 00000000..4f6a5a97 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-failure @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-failure +profile snap-failure @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp new file mode 100644 index 00000000..767c76a4 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp +profile snap-seccomp @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp r, + + /var/lib/snapd/seccomp/bpf/{,**} rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + owner @{PROC}/@{pids}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns new file mode 100644 index 00000000..3e4fd84f --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns +profile snap-update-ns @{exec_path} { + include + + capability sys_admin, + capability sys_chroot, + + @{exec_path} mr, + + /var/lib/snapd/mount/{,*} r, + + @{run}/snapd/lock/*.lock rwk, + @{run}/snapd/ns/{,**} rw, + + @{sys}/fs/cgroup/{,**/} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/version r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd new file mode 100644 index 00000000..b7a491c9 --- /dev/null +++ b/apparmor.d/profiles-s-z/snapd @@ -0,0 +1,140 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd +profile snapd @{exec_path} { + include + include + include + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, + umount /tmp/syscheck-mountpoint-[0-9]*/, + umount /snap/*/[0-9]*/, + + ptrace (read) peer=unconfined, + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + + @{exec_path} mr, + + /{usr/,}{s,}bin/apparmor_parser rPx, + /{usr/,}{s,}bin/runuser rCx -> runuser, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mount rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/systemctl rix, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/tar rix, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/umount rix, + /{usr/,}bin/unsquashfs rix, + /{usr/,}bin/update-desktop-database rPx, + + /snap/snapd/[0-9]*/lib/@{multiarch}/** mr, + /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so rix, + /snap/snapd/[0-9]*/usr/bin/snap rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, + /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, + /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? + + /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/services/*snap* r, + /usr/share/polkit-1/actions/{,**/} r, + + /etc/dbus-1/system.d/{,**/} r, + /etc/fstab r, + /etc/modprobe.d/{,**/} r, + /etc/modules-load.d/{,**/} r, + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} r, + /etc/systemd/user/snap* rw, + /etc/udev/rules.d/{,*snap*} rw, + + /snap/{,**} rw, + /var/cache/snapd/{,**} rwk, + /var/lib/snapd/{,**} rwk, + /var/snap/{,**} rw, + + /var/cache/apparmor/{,*/} r, + /var/cache/apparmor/*/snap* rw, + + /tmp/ r, + /tmp/syscheck-mountpoint-[0-9]*/{,**} rw, + /tmp/syscheck-squashfs-[0-9]* rw, + /tmp/read-file[0-9]*/{,**} rw, + + owner @{HOME}/ r, + owner @{HOME}/snap/{,**} rw, + + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, + + owner @{run}/user/{,@{uid}/} r, + owner @{run}/user/snap.*/{,**} rw, + + @{run}/snapd-snap.socket rw, + @{run}/snapd.socket rw, + @{run}/snapd/lock/core[0-9]*.lock rwk, + @{run}/systemd/notify rw, + @{run}/systemd/private rw, + + @{sys}/fs/cgroup/{,*/} r, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/**/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/ r, + @{sys}/kernel/security/apparmor/profiles r, + + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/stat r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + /dev/loop-control rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d4886101..e1c1e42d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -128,7 +128,13 @@ s3fs complain scrcpy complain sftp-server complain slirp4netns attach_disconnected,complain +snap complain snap-device-helper complain +snap-discard-ns complain +snap-failure complain +snap-seccomp complain +snap-update-ns complain +snapd complain spice-vdagent complain spice-vdagentd attach_disconnected,complain splunkforwarder complain From b55c3f7d06938bb8add1d3420fd8b2fd17b46ae6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Jul 2022 12:09:07 +0100 Subject: [PATCH 154/165] ci: fix build image name. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4c5418db..7291de6a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -50,7 +50,7 @@ tests: archlinux: stage: build - image: registry.gitlab.com/archlex/packages/builders/arch + image: registry.gitlab.com/archlex/packages/builders/archlinux script: - sudo pacman -Syu --noconfirm --noprogressbar lsb-release - makepkg -s --noconfirm --noprogressbar From 3af11c4d16c9a9fcc763d2725701adeac9b24b46 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 13:22:38 +0200 Subject: [PATCH 155/165] ZFS updates --- apparmor.d/profiles-s-z/zed | 9 +++++---- apparmor.d/profiles-s-z/zfs | 9 +++++++-- apparmor.d/profiles-s-z/zpool | 4 ++++ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 4f39770e..607feb10 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -38,12 +38,13 @@ profile zed @{exec_path} flags=(complain) { @{run}/zed.pid rwkl, @{run}/zed.state rwkl, @{run}/zfs-list.cache@* rw, - - @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, + + @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/zfs rw, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 388e569d..4532b912 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -11,15 +11,20 @@ profile zfs @{exec_path} flags=(complain) { include capability sys_admin, + capability dac_read_search, + + mount fstype=zfs, + umount fstype=zfs, @{exec_path} mr, /etc/zfs/zfs-list.cache/{,*} rwk, - - @{PROC}/@{pids}/mounts r, @{run}/zfs-list.cache@* rw, + @{PROC}/@{pids}/mounts r, + @{PROC}/sys/fs/pipe-max-size r, + /dev/zfs rw, include if exists diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index d39b710d..0a35b291 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -19,11 +19,15 @@ profile zpool @{exec_path} flags=(complain) { /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, + /etc/zfs/*.cache rwk, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, + @{sys}/bus/pci/slots/ + @{sys}/bus/pci/slots/[0-9]*/address + @{PROC}/@{pids}/mounts r, @{PROC}/sys/kernel/spl/hostid r, From 33da7af6e82f416ecc3af0e9cd49f03153d94082 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 13:22:47 +0200 Subject: [PATCH 156/165] container updates --- apparmor.d/groups/virt/containerd | 10 ++++++++-- apparmor.d/groups/virt/k3s | 19 +++++++++++++++---- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 3f0ba0c6..d373416c 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,6 +31,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + mount -> /tmp/ctd-volume[0-9]*/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @@ -68,7 +69,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, - /var/log/pods/**/[0-9]*.log w, + /var/lib/kubelet/seccomp/{,**} r, + /var/log/pods/**/[0-9]*.log{,*} w, + /var/lib/security-profiles-operator/{,**/*.json} r, @{run}/calico/ w, @{run}/containerd/{,**} rwk, @@ -77,7 +80,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/netns/cni-@{uuid} rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d[0-9]* rwl, + owner /var/tmp/** rwkl, + owner /tmp/** rwkl, + /tmp/cri-containerd.apparmor.d[0-9]* rwl, + /tmp/ctd-volume[0-9]*/ rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 423e79d6..fa8e6bbe 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -17,6 +17,8 @@ profile k3s @{exec_path} flags=(complain) { capability kill, capability dac_override, capability dac_read_search, + capability fsetid + capability fowner capability net_admin, capability syslog, capability sys_admin, @@ -24,7 +26,15 @@ profile k3s @{exec_path} flags=(complain) { capability sys_resource, ptrace peer=@{profile_name}, - ptrace (read) peer={cri-containerd.apparmor.d,k3s//xtables-nft-multi,unconfined}, + ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,unconfined}, + ptrace (read) peer=mount, + + # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes + # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. + ptrace (read) peer=container-*, + ptrace (read) peer=docker-*, + ptrace (read) peer=k3s-*, + ptrace (read) peer=kubernetes-*, network inet dgram, network inet6 dgram, @@ -70,7 +80,7 @@ profile k3s @{exec_path} flags=(complain) { /var/log/kubernetes/audit/** rw, /var/log/pods/{,**} r, /var/log/pods/{,**/} rw, - /var/log/pods/**/[0-9]*.log rw, + /var/log/pods/**/[0-9]*.log{,*} rw, owner @{HOME}/.kube/** rw, @@ -81,8 +91,8 @@ profile k3s @{exec_path} flags=(complain) { @{run}/nodeagent/ rw, @{run}/xtables.lock rwk, - owner /var/tmp/etilqs_[0-9a-f]* rw, - owner /tmp/kubectl-edit-[0-9]*.yaml rw, + owner /var/tmp/** rwkl, + owner /tmp/** rwkl, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, @@ -124,6 +134,7 @@ profile k3s @{exec_path} flags=(complain) { @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, @{sys}/devices/system/cpu/present{,/} r, @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, From 465a31c638f1fd766c5500f85370a409eb7919f6 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 13:22:56 +0200 Subject: [PATCH 157/165] General updates --- apparmor.d/groups/apt/unattended-upgrade | 9 +++++ apparmor.d/groups/freedesktop/pulseaudio | 43 ++++++++++++++++++++++++ apparmor.d/groups/systemd/systemd-logind | 5 +++ apparmor.d/profiles-m-r/mount | 3 ++ apparmor.d/profiles-m-r/newgidmap | 2 ++ apparmor.d/profiles-m-r/newuidmap | 2 ++ apparmor.d/profiles-m-r/rngd | 3 +- apparmor.d/profiles-s-z/smartd | 4 +++ apparmor.d/profiles-s-z/thermald | 10 ++++-- 9 files changed, 78 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 1961f712..b3ac117d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,6 +31,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d3788695..5509e1d1 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +34,20 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, + dbus (send) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={GetState,AddService,AddServiceSubtype,Commit} + peer=(name=org.freedesktop.Avahi), + + dbus (receive) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={StateChanged} + peer=(name=org.freedesktop.Avahi), + dbus (send) bus=session path=/org/freedesktop/DBus @@ -83,6 +98,34 @@ profile pulseaudio @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,EntryGroupNew} + peer=(name=org.freedesktop.Avahi), + + dbus (receive) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member={StateChanged} + peer=(name=org.freedesktop.Avahi), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.hostname[0-9]* + member={Get} + peer=(name=/org/freedesktop/hostname1[0-9]*, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index b114eda3..de48f1c7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -51,6 +52,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=Get, + dbus bind bus=system name=org.freedesktop.login[0-9], diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 9bb767dc..7432f00a 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -26,6 +27,8 @@ profile mount @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + ptrace (read) peer=k3s, + signal (receive) set=(term, kill), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 2da77d9b..d769bfcc 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newgidmap @{exec_path} { include include + capability dac_override, capability setgid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index 88af9bb6..3ec9d09e 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newuidmap @{exec_path} { include include + capability dac_override, capability setuid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 163d2a20..2cd837cd 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/rngd +@{exec_path} = /{usr/,}{s,}bin/rngd profile rngd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index a99796c9..ac1aeb0d 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,6 +18,7 @@ profile smartd @{exec_path} { # Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf # Device: /dev/disk/by-id/ata-*, not available capability sys_rawio, + capability sys_admin, # Needed? deny capability net_admin, @@ -39,5 +41,7 @@ profile smartd @{exec_path} { /dev/ r, @{PROC}/devices r, + /run/systemd/notify rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index a4ed8017..5bf27dac 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,14 @@ include @{exec_path} = /{usr/,}sbin/thermald profile thermald @{exec_path} { include + include capability sys_boot, + dbus (bind) + bus=system + name=org.freedesktop.thermald, + @{exec_path} mr, owner @{run}/thermald/ rw, @@ -50,11 +56,11 @@ profile thermald @{exec_path} { @{sys}/devices/virtual/powercap/intel-rapl/ r, @{sys}/devices/virtual/powercap/intel-rapl/**/name r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r, include if exists } From 07f1db2725443bb6351732e0af4f28193e52af43 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 13:38:58 +0200 Subject: [PATCH 158/165] Fix some typo's --- apparmor.d/groups/freedesktop/pulseaudio | 10 +++++----- apparmor.d/groups/virt/k3s | 4 ++-- apparmor.d/profiles-s-z/zpool | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5509e1d1..2a8d08de 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -45,7 +45,7 @@ profile pulseaudio @{exec_path} { bus=session path=/Client0/EntryGroup[0-9]* interface=org.freedesktop.Avahi.EntryGroup - member={StateChanged} + member=StateChanged peer=(name=org.freedesktop.Avahi), dbus (send) @@ -117,15 +117,15 @@ profile pulseaudio @{exec_path} { bus=system path=/ interface=org.freedesktop.Avahi.Server - member={StateChanged} + member=StateChanged peer=(name=org.freedesktop.Avahi), dbus (send) bus=system path=/ - interface=org.freedesktop.hostname[0-9]* - member={Get} - peer=(name=/org/freedesktop/hostname1[0-9]*, + interface=org.freedesktop.hostname[0-9] + member=Get + peer=(name=/org/freedesktop/hostname[0-9]), @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index fa8e6bbe..00b3a726 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -17,8 +17,8 @@ profile k3s @{exec_path} flags=(complain) { capability kill, capability dac_override, capability dac_read_search, - capability fsetid - capability fowner + capability fsetid, + capability fowner, capability net_admin, capability syslog, capability sys_admin, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 0a35b291..e5ee8eec 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -25,8 +25,8 @@ profile zpool @{exec_path} flags=(complain) { @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, - @{sys}/bus/pci/slots/ - @{sys}/bus/pci/slots/[0-9]*/address + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, @{PROC}/@{pids}/mounts r, @{PROC}/sys/kernel/spl/hostid r, From e6525e1f0453ff59c8200f206dc0358a33bcc1cd Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 15:28:07 +0200 Subject: [PATCH 159/165] Add missing volumes --- apparmor.d/groups/virt/k3s | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 00b3a726..0c661036 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -26,8 +26,7 @@ profile k3s @{exec_path} flags=(complain) { capability sys_resource, ptrace peer=@{profile_name}, - ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,unconfined}, - ptrace (read) peer=mount, + ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined}, # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. @@ -42,8 +41,11 @@ profile k3s @{exec_path} flags=(complain) { network inet6 stream, network netlink raw, - mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + mount -> /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + mount -> /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, + umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + umount /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, signal (send, receive) set=term, signal (send) set=kill peer=unconfined, From e4d118365a9f86d38c133dc1cdc96854ea9c1254 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 15:28:35 +0200 Subject: [PATCH 160/165] Add Kubernetes pause container --- apparmor.d/groups/virt/kubernetes-pause | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 apparmor.d/groups/virt/kubernetes-pause diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause new file mode 100644 index 00000000..7dca6f7b --- /dev/null +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /pause +profile kubernetes-pause @{exec_path} flags=(complain,attach_disconnected) { + include + + signal (receive) set=kill, + + ptrace (readby) peer=k3s, + + @{exec_path} mr, + + include if exists +} From e724d835ed3c0661597c7344f4a18ad2d80202ba Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 15:30:44 +0200 Subject: [PATCH 161/165] Add ps to ptrace --- apparmor.d/groups/virt/kubernetes-pause | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index 7dca6f7b..f38c949a 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -12,7 +12,7 @@ profile kubernetes-pause @{exec_path} flags=(complain,attach_disconnected) { signal (receive) set=kill, - ptrace (readby) peer=k3s, + ptrace (readby) peer={k3s,ps}, @{exec_path} mr, From fcea04c69baa818c1eeb9016ba0753a813b4e547 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 15:41:40 +0200 Subject: [PATCH 162/165] Remove complain flags --- apparmor.d/groups/virt/cni-xtables-nft | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/virt/kubernetes-pause | 2 +- apparmor.d/profiles-s-z/zed | 2 +- apparmor.d/profiles-s-z/zfs | 2 +- apparmor.d/profiles-s-z/zpool | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft index 45d2820a..d562f044 100644 --- a/apparmor.d/groups/virt/cni-xtables-nft +++ b/apparmor.d/groups/virt/cni-xtables-nft @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi -profile cni-xtables-nft flags=(complain) { +profile cni-xtables-nft { include include diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 81a19d24..ae091c99 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/containerd-shim-runc-v2 -profile containerd-shim-runc-v2 @{exec_path} flags=(complain,attach_disconnected) { +profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 0c661036..3f041cc4 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{local/,}bin/k3s -profile k3s @{exec_path} flags=(complain) { +profile k3s @{exec_path} { include include include diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index f38c949a..b621e63d 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -7,7 +7,7 @@ abi , include @{exec_path} = /pause -profile kubernetes-pause @{exec_path} flags=(complain,attach_disconnected) { +profile kubernetes-pause @{exec_path} flags=(attach_disconnected) { include signal (receive) set=kill, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 607feb10..a37053b9 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{local/,}{s,}bin/zed -profile zed @{exec_path} flags=(complain) { +profile zed @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 4532b912..500cfec1 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs -profile zfs @{exec_path} flags=(complain) { +profile zfs @{exec_path} { include capability sys_admin, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e5ee8eec..8fb872dc 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{local/,}{s,}bin/zpool -profile zpool @{exec_path} flags=(complain) { +profile zpool @{exec_path} { include include From 616753aea018e322f2f15650fddd3333058f2648 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 27 Jul 2022 20:06:58 +0200 Subject: [PATCH 163/165] Consolidate rules --- apparmor.d/groups/virt/containerd-shim-runc-v2 | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index ae091c99..770e36d3 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -29,12 +29,10 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { /tmp/pty[0-9]*/ rw, /tmp/pty[0-9]*/pty.sock rw, - @{run}/containerd/ rw, - @{run}/containerd/containerd.sock.ttrpc rw, - @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stderr rw, - @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stdout rw, - @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/{,*} rw, - @{run}/containerd/s/{,[0-9a-z]*} rw, + @{run}/containerd/{,containerd.sock.ttrpc} rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw, + @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/{,*} rw, + @{run}/containerd/s/{,[0-9a-f]*} rw, @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw, From 58cfe9ad37d34203ccf27feba8593914da6fb269 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Fri, 29 Jul 2022 09:50:36 +0200 Subject: [PATCH 164/165] Small fixes --- apparmor.d/groups/virt/cni-xtables-nft | 1 + apparmor.d/groups/virt/containerd | 7 ++++--- apparmor.d/profiles-g-l/ip | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft index d562f044..e6a24a41 100644 --- a/apparmor.d/groups/virt/cni-xtables-nft +++ b/apparmor.d/groups/virt/cni-xtables-nft @@ -23,6 +23,7 @@ profile cni-xtables-nft { network netlink raw, @{exec_path} mr, + /{usr/,}{s,}bin/xtables-legacy-multi mr, /etc/libnl/classid r, /etc/iptables/{,**} rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index d373416c..c700d8ef 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -48,13 +48,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, + / r, + /opt/cni/bin/loopback rPx, /opt/cni/bin/portmap rPx, /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, - / r, - /etc/cni/ rw, /etc/cni/{,**} r, /etc/cni/net.d/ rw, @@ -70,8 +70,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk, /var/lib/kubelet/seccomp/{,**} r, + /var/lib/security-profiles-operator/{,**} r, + /var/log/pods/**/[0-9]*.log{,*} w, - /var/lib/security-profiles-operator/{,**/*.json} r, @{run}/calico/ w, @{run}/containerd/{,**} rwk, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index ec164180..ed7a3340 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,11 +7,12 @@ abi , include -@{exec_path} = /{usr/,}bin/ip +@{exec_path} = /{usr/,}{s,}bin/ip profile ip @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability sys_admin, capability sys_module, From 2878fa6a2eb56860930a4bfae6d893f1c121567d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Jul 2022 16:47:09 +0100 Subject: [PATCH 165/165] feat(profiles): general update. --- apparmor.d/abstractions/python.d/complete | 2 +- apparmor.d/groups/apt/dpkg-divert | 2 +- apparmor.d/groups/browsers/chromium-chromium | 1 + apparmor.d/groups/gvfs/gvfsd-dnssd | 2 +- apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/groups/ubuntu/update-manager | 1 + apparmor.d/groups/virt/containerd-shim-runc-v2 | 10 +++++++--- apparmor.d/groups/virt/libvirtd | 2 ++ apparmor.d/profiles-s-z/wireplumber | 2 +- 9 files changed, 16 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 22e5a9bc..b5427859 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -7,7 +7,7 @@ /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r, - /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r, + /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so} mr, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth} r, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index d6230d07..37bc7421 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/** r, - /usr/share/*/**.dpkg-divert.tmp w, + /usr/share/*/** w, /var/lib/dpkg/diversions rw, /var/lib/dpkg/diversions-new rw, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 1b98b251..f1cfd87d 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-desktop-menu rPx, + /{usr/,}bin/xdg-email rPx, /{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rCx -> open, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index e6659825..0c83581b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -30,7 +30,7 @@ profile gvfsd-dnssd @{exec_path} { @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index de48f1c7..3afc0562 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/logind.conf r, /etc/systemd/sleep.conf r, + /swapfile r, /boot/{,**} r, /var/lib/systemd/linger/ r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 3b173bc6..32f2e4f2 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -74,6 +74,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /usr/share/X11/{,**} r, /etc/gnome/defaults.list r, + /etc/gtk-3.0/settings.ini r, /etc/machine-id r, /etc/update-manager/{,**} r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 770e36d3..75778688 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -16,10 +16,14 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability net_admin, capability sys_admin, + capability sys_ptrace, capability sys_resource, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/, + ptrace (read) peer=containerd, + ptrace (read) peer=unconfined, + + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, @{exec_path} mrix, @@ -31,7 +35,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{run}/containerd/{,containerd.sock.ttrpc} rw, @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw, - @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/{,*} rw, + @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw, @{run}/containerd/s/{,[0-9a-f]*} rw, @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index bda5c0c2..1814b83f 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -207,6 +207,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/machine.slice/* r, @{sys}/fs/cgroup/machine.slice/machine-qemu*.scope/{,**} rw, + @{sys}/fs/cgroup/net_cls/machine.slice/ rw, + @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 0968890c..59b0cab4 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -45,7 +45,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r, /dev/snd/ r, /dev/video[0-9]* rw,