diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 08639c01..831915f1 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -18,8 +18,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /usr/share/nautilus/{,**} r, - /usr/share/tracker3/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, + /usr/share/tracker3/{,**} r, owner @{user_share_dirs}/nautilus/{,**} rwk, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index a0de6223..e9d8bbe6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -44,10 +44,12 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c235:* r, @{run}/udev/data/c236:* r, - @{run}/udev/data/c51[0-9]:* r, + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c51[0-9]:[0-9]* r, - /dev/video[0-9]* rw, /dev/dri/renderD128 rw, + /dev/media[0-9]* r, + /dev/video[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index fc2f8d08..4dafe0d4 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,6 @@ profile pacman @{exec_path} { /{usr/,}bin/update-ca-trust rPx, /{usr/,}bin/update-desktop-database rPx, /{usr/,}bin/update-mime-database rPx, - /{usr/,}lib/dkms/alpm-hook rPx, /{usr/,}lib/systemd/systemd-* rPx, /{usr/,}lib/vlc/vlc-cache-gen rPx, /usr/share/libalpm/scripts/* rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 0fbbb5ab..a5125b31 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/dkms/alpm-hook +@{exec_path} = /usr/share/libalpm/scripts/dkms profile pacman-hook-dkms @{exec_path} { include diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 285f3280..c42cd844 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -26,6 +26,7 @@ profile pacman-key @{exec_path} { /{usr/,}bin/wc rix, /usr/share/makepkg/{,**} r, + /usr/share/pacman/keyrings/* r, /usr/share/terminfo/x/xterm-256color r, /dev/tty rw, @@ -41,7 +42,7 @@ profile pacman-key @{exec_path} { capability mknod, /{usr/,}bin/gpg mr, - /{usr/,}bin/gpg-agent mr, + /{usr/,}bin/gpg-agent rix, /usr/share/pacman/keyrings/* r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 94dececb..d75f9a9b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -43,6 +43,8 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index b54d038d..e08db750 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -37,6 +37,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, deny /dev/dri/card[0-9]* rw, + deny /dev/dri/renderD128 rw, include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 01eb91b8..bd4ddff7 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include profile dkms @{exec_path} flags=(attach_disconnected) { include include + include capability dac_read_search, capability mknod, @@ -63,8 +64,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { / r, /{usr/,}lib/modules/*/updates/ rw, - /{usr/,}lib/modules/*/updates/dkms/ rw, - /{usr/,}lib/modules/*/updates/dkms/*.ko rw, + /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw, /{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw, /var/lib/dkms/ r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 995303e9..57b8fcb2 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -77,7 +77,11 @@ profile git @{exec_path} { /{usr/,}bin/vim rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, + /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, + /usr/share/aurpublish/*.hook rPx, + owner @{HOME}/.gitconfig r, + owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, /usr/share/git-core/{,**} r, @@ -106,7 +110,6 @@ profile git @{exec_path} { /etc/mailname r, - profile gpg { include include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index d3154097..2be0f5ac 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -1,13 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{HUGO_DIR} = @{MOUNTS}/debuilder/hugo - @{exec_path} = /{usr/,}bin/hugo profile hugo @{exec_path} { include @@ -17,15 +16,12 @@ profile hugo @{exec_path} { @{exec_path} mr, - # Hugo dirs - owner @{HOME}/hugo/ r, - owner @{HOME}/hugo/** r, - owner @{HOME}/hugo/**/public/ rw, - owner @{HOME}/hugo/**/public/** rw, - owner @{HUGO_DIR}/ r, - owner @{HUGO_DIR}/** r, - owner @{HUGO_DIR}/**/public/ rw, - owner @{HUGO_DIR}/**/public/** rw, + /usr/share/mime/{,**} r, + + /etc/mime.types r, + + owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.hugo_build.lock rwk, owner /tmp/hugo_cache/ rw, owner /tmp/hugo_cache/**/ rw, @@ -34,7 +30,5 @@ profile hugo @{exec_path} { @{PROC}/sys/net/core/somaxconn r, - /etc/mime.types r, - include if exists -} +} \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index cc463544..b4fc3fa1 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -12,15 +12,13 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { include include - # Needed for logfiles owned by other users than root, for instance exim. - capability dac_read_search, - capability dac_override, - capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, capability setgid, capability setuid, - capability fsetid, - capability fowner, # Needed? audit deny capability net_admin, @@ -67,7 +65,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - profile systemctl flags=(attach_disconnected, complain) { include include diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 4f716e60..592bb374 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,17 +13,11 @@ profile umount @{exec_path} flags=(complain) { include include - # To be able to umount anything - # umount2("/mnt", 0) = -1 EPERM (Operation not permitted) - # - # umount: /mnt: must be superuser to unmount. - capability sys_admin, - - capability setuid, - capability setgid, - - capability dac_read_search, capability chown, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, umount, @@ -31,8 +26,8 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}sbin/umount.* rPx, - /{usr/,}sbin/mount.* rPx, + /{usr/,}sbin/umount.* rPx, + /{usr/,}sbin/mount.* rPx, # Mount points @{HOME}/ r, diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index a6737e90..9410d7f1 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -13,4 +13,4 @@ pacman-hook-mkinitcpio-install attach_disconnected,complain pacman-hook-mkinitcpio-remove complain pacman-hook-perl complain pacman-hook-systemd complain -pacman-key complain \ No newline at end of file +pacman-key complain diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 02f74b14..dd41fc1c 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,3 +1,4 @@ +aa-status apparmor.d/groups/pacman apparmor.systemd root/usr/share/libalpm/hooks/apparmor.hook