From e1a30cbf7d2795023816cab51b1a2bd17c66d04f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Dec 2023 12:46:27 +0000 Subject: [PATCH] feat(profile): unify udev char dynamic assignment ranges. --- apparmor.d/groups/freedesktop/iio-sensor-proxy | 4 +--- apparmor.d/groups/freedesktop/pipewire | 7 +------ apparmor.d/groups/freedesktop/pulseaudio | 4 +--- apparmor.d/groups/gnome/gnome-control-center | 7 +------ apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 4 +--- apparmor.d/groups/gnome/tracker-extract | 7 +------ apparmor.d/groups/systemd/systemd-journald | 7 +------ apparmor.d/groups/systemd/systemd-logind | 7 +------ apparmor.d/groups/ubuntu/subiquity-console-conf | 4 +--- apparmor.d/groups/virt/libvirtd | 7 +------ apparmor.d/groups/virt/virtnodedevd | 7 +------ apparmor.d/profiles-a-f/fprintd | 4 +--- apparmor.d/profiles-m-r/nvtop | 13 ++----------- apparmor.d/profiles-s-z/steam | 4 +--- apparmor.d/profiles-s-z/steam-game | 4 +--- apparmor.d/profiles-s-z/udisksd | 4 +--- apparmor.d/profiles-s-z/virt-manager | 4 +--- apparmor.d/profiles-s-z/wireplumber | 7 +------ apparmor.d/tunables/multiarch.d/system | 4 ++++ 19 files changed, 23 insertions(+), 86 deletions(-) diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 45d0aa0a..b3dac20b 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -19,9 +19,7 @@ profile iio-sensor-proxy @{exec_path} { @{run}/udev/data/+platform:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/iio/devices/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 7fdfcbe6..59873eb5 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -58,12 +58,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 3121da1c..a2bc2278 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -102,9 +102,7 @@ profile pulseaudio @{exec_path} { @{run}/udev/data/+pci:* r, @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 813a5b68..a1c89f33 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,12 +130,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 2585f937..d494dd3f 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -41,9 +41,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{user_config_dirs}/pulse/cookie rk, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/@{pci}/revision r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 6e7bfb22..1b00928f 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -85,12 +85,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab r, - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/mount/utab r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 68d002c6..afeee661 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -61,12 +61,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters @{run}/udev/data/c29:[0-9]* r, # For CD-ROM - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d944b630..6c52cdff 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -77,12 +77,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 77c2a771..fb82fbe2 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -74,9 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/**/devices/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index b8b29ff6..edd162d8 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -185,12 +185,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 9a05dfd3..f713c03d 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -66,12 +66,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/**/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 7243970c..f93d8934 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,9 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, @{sys}/devices/@{pci}/hidraw/hidraw[0-9]*/uevent r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 8122b3ad..f5f461f2 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -30,9 +30,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card[0-9]-* r, @{run}/udev/data/+pci:* r, @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/class/ r, @@ -50,14 +48,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, - /dev/char/c23[4-9]:@{int} w, # For dynamic assignment range 234 to 254 - /dev/char/c24[0-9]:@{int} w, - /dev/char/c25[0-4]:@{int} w, - /dev/char/c38[4-9]:@{int} w, # For dynamic assignment range 384 to 511 - /dev/char/c39[0-9]:@{int} w, - /dev/char/c4[0-9][0-9]:@{int} w, - /dev/char/c50[0-9]:@{int} w, - /dev/char/c51[0-1]:@{int} w, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 3bdb65da..44771760 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -167,9 +167,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{sys}/ r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 2f1da3b3..188a79d7 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -193,9 +193,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 03338179..1c9f9962 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -113,9 +113,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform:* r, - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa4a2227..3c2d2cd3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -90,9 +90,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{run}/mount/utab r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/@{pci}/drm/ r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 8d0082e4..0ee493f0 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -53,12 +53,7 @@ profile wireplumber @{exec_path} { @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:@{int} r, - @{run}/udev/data/c25[0-4]:@{int} r, - @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:@{int} r, - @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index c9c8c5ad..87c81c82 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,3 +56,7 @@ # Name of the systemd profile: unconfined || systemd @{systemd}=unconfined + +# Udev data dynamic assignment ranges +@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 +@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511