From dc19fc72a856afb311b83c51cab2b1b8f97c9166 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 5 Feb 2022 20:02:10 +0000 Subject: [PATCH] Update profiles. --- apparmor.d/groups/bus/dbus-daemon | 1 + apparmor.d/groups/pacman/pacman | 1 + apparmor.d/groups/systemd/bootctl | 2 ++ apparmor.d/profiles-a-f/acpid | 38 +++++++++++++++-------------- apparmor.d/profiles-a-f/aurpublish | 7 ++++++ apparmor.d/profiles-a-f/borg | 6 ++--- apparmor.d/profiles-a-f/browserpass | 3 ++- apparmor.d/profiles-a-f/fusermount | 2 +- apparmor.d/profiles-m-r/ntfs-3g | 3 +++ apparmor.d/profiles-s-z/wireplumber | 1 + dists/flags/main.flags | 1 - 11 files changed, 40 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 5ba06879..05f5d24e 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -18,6 +18,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { capability sys_resource, signal (receive) set=(term hup kill) peer=gdm*, + signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, signal (send) set=(term hup kill) peer=at-spi-bus-launcher, signal (send) set=(term hup kill) peer=xdg-permission-store, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 26f313d6..698f7e20 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -51,6 +51,7 @@ profile pacman @{exec_path} { /{usr/,}bin/chmod rix, /{usr/,}bin/dot rix, /{usr/,}bin/env rix, + /{usr/,}bin/filecap rix, /{usr/,}bin/getent rix, /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index d9f4a706..cf283239 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -32,6 +32,8 @@ profile bootctl @{exec_path} { /boot/loader/.#bootctlrandom-seed[0-9a-f]* rw, /boot/loader/random-seed w, + /etc/machine-id r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 3b37a15f..f5d18f85 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -11,6 +11,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability mknod, network netlink raw, @@ -20,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/logger rix, - /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + /etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support, /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, @@ -37,26 +38,35 @@ profile acpid @{exec_path} flags=(attach_disconnected) { include if exists } -profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { +profile powerbtn-acpi-support flags=(attach_disconnected) { include /etc/acpi/powerbtn-acpi-support.sh r, - /{usr/,}bin/sed rix, - /{usr/,}bin/pgrep rix, - /{usr/,}bin/{e,}grep rix, - /{usr/,}bin/pinky rix, - /{usr/,}bin/{ba,da,}sh rix, - /{usr/,}bin/dbus-send rix, /{usr/,}{s,}bin/killall5 rix, /{usr/,}{s,}bin/shutdown rix, + /{usr/,}bin/{ba,da,}sh rix, + /{usr/,}bin/{e,}grep rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/pgrep rix, + /{usr/,}bin/pinky rix, + /{usr/,}bin/sed rix, /etc/acpi/powerbtn.sh rix, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/ps rPx, /{usr/,}bin/fgconsole rCx, - profile fgconsole /usr/bin/fgconsole { + + /usr/share/acpi-support/** r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/@{pids}/cmdline r, + + deny / r, + + profile fgconsole { include capability sys_tty_config, @@ -67,13 +77,5 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, } - /usr/share/acpi-support/** r, - - deny / r, - - @{PROC} r, - @{PROC}/uptime r, - @{PROC}/@{pids}/cmdline r, - - include if exists + include if exists } diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index b7d2f98a..5c93be01 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -13,10 +13,17 @@ profile aurpublish @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, /{usr/,}bin/git rPx, /{usr/,}bin/makepkg rUx, /{usr/,}bin/rm rix, /{usr/,}bin/wc rix, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r, + + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 04bbc3a7..2a4cf499 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -7,8 +7,6 @@ abi , include -@{BACKUP_DIR} = @{MOUNTS}/Arti/backup-* - @{exec_path} = /{usr/,}bin/borg profile borg @{exec_path} { include @@ -82,8 +80,8 @@ profile borg @{exec_path} { /var/{,**} r, # The backup dirs - owner @{BACKUP_DIR}/ r, - owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**, # For exporting the key owner /**/key w, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 739a7241..82b916ca 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -34,9 +34,10 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { deny network inet dgram, deny network inet6 stream, deny network inet stream, - deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, + deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} r, deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny /dev/dri/card[0-9]* rw, deny /dev/dri/renderD128 rw, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 3fbdd22e..8db380c6 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -21,7 +21,7 @@ profile fusermount @{exec_path} { owner @{HOME}/*/ rw, owner @{HOME}/*/*/ rw, owner @{user_cache_dirs}/**/ rw, - owner @{run}/user/@{uid}/doc/ r, + @{run}/user/@{uid}/doc/ r, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index c8177e93..ea6029ee 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -49,6 +49,9 @@ profile ntfs-3g @{exec_path} { mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/, mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/, + umount @{MOUNTS}/*/, + umount /mnt/*/, + # kmod is used to load the fuse kernel module /{usr/,}bin/kmod rPx, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index b9ad2a44..ee2f5b57 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -36,6 +36,7 @@ profile wireplumber @{exec_path} { @{sys}/class/ r, @{sys}/class/sound/ r, @{sys}/class/video4linux/ r, + @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d0867af9..3a5eeb5e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -7,7 +7,6 @@ agetty complain askpass complain at-spi-bus-launcher attach_disconnected auditd complain -aurpublish complain badblocks complain biosdecode complain blkid complain