From 821e753572473766e8aa6a95d02a3143513d66c9 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 3 Mar 2024 12:42:44 +0100 Subject: [PATCH 1/5] Various profile updates Signed-off-by: Jeroen Rijken --- .../abstractions/bus/fi.w1.wpa_supplicant1 | 29 +++++++++++------- .../bus/org.freedesktop.ModemManager1 | 5 ++++ .../bus/org.freedesktop.NetworkManager | 26 ++++++++-------- .../abstractions/bus/org.freedesktop.UDisks2 | 20 ++++++------- .../abstractions/bus/org.freedesktop.UPower | 11 +++++-- .../abstractions/bus/org.freedesktop.login1 | 6 ++-- apparmor.d/groups/freedesktop/xdg-mime | 1 + apparmor.d/groups/kde/kbuildsycoca5 | 30 +++++++++++++++++++ apparmor.d/groups/kde/plasmashell | 8 +++-- apparmor.d/groups/kde/sddm-xsession | 22 ++++++++++---- apparmor.d/groups/kde/startplasma | 18 +++++++++-- apparmor.d/groups/network/nm-dispatcher | 23 +++++++++++--- apparmor.d/profiles-g-l/logrotate | 1 + apparmor.d/profiles-s-z/usbguard | 4 +++ 14 files changed, 150 insertions(+), 54 deletions(-) create mode 100644 apparmor.d/groups/kde/kbuildsycoca5 diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 4c13e555..12eea120 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,12 +4,22 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} + member={GetAll,PropertiesChanged},Set + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,Set} + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1.Interface + member=CreateInterface peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={Disconnect,RemoveNetwork,Scan} + member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} @@ -17,25 +27,24 @@ member=Cancel peer=(name=:*, label=wpa-supplicant), - # Unconfined for now, don't know the label yet. - # dbus send bus=system path=/org/freedesktop - # interface=org.freedesktop.DBus.ObjectManager - # member=InterfacesRemoved - # peer=(name=:*, label=unconfined), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={BSSAdded,BSSRemoved,NetworkRemoved,ScanDone,PropertiesChanged} + member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 0edc53cc..75ee94bf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index e9add589..f6fbb547 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -5,66 +5,66 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 8465f64c..956356c5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -5,51 +5,51 @@ dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/** interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 372fce27..93c1aefb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -10,7 +10,7 @@ dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -21,14 +21,19 @@ member=GetDisplayDevice peer=(name=org.freedesktop.UPower, label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index d11829d8..67d24772 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -10,7 +10,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager @@ -20,12 +20,12 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9d1a2884..f5291bb1 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -21,6 +21,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, + @{bin}/kbuildsycoca5 rPx, @{bin}/mv rix, @{bin}/readlink rix, @{bin}/realpath rix, diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca5 new file mode 100644 index 00000000..8173be58 --- /dev/null +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kbuildsycoca5 +profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /usr/share/applications/kde-mimeapps.list r, + /usr/share/mime/mime.cache r, + /usr/share/mime/types r, + /var/lib/flatpak/exports/share/mime/types r, + + owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca5_* rw, + owner @{user_config_dirs}/mimeapps.list r, + owner @{user_share_dirs}/applications/mimeapps.list r, + owner @{user_share_dirs}/mime/types r, + + /dev/tty r, + + include if exists +} diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f50ced75..9e1cf1a1 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -44,9 +44,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{exec_path} mr, - @{lib}/libheif/{,**} mr, - - @{bin}/dolphin rPUx, + @{lib}/libheif/ r, + @{lib}/libheif/{,**} mr, + @{lib}/kf5/kioslave5 rPx, + @{lib}/kf5/kdesu{,d} rix, + @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b02f3f5b..393f1cf4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -10,6 +10,7 @@ include @{exec_path} = /etc/sddm/Xsession profile sddm-xsession @{exec_path} { include + include include include include @@ -25,14 +26,17 @@ profile sddm-xsession @{exec_path} { @{bin}/csh rix, @{bin}/date rix, @{bin}/fish rix, - @{bin}/id rix, + @{bin}/gettext.sh r, @{bin}/gpgconf rCx -> gpg, + @{bin}/id rix, + @{bin}/locale rix, + @{bin}/locale-check rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/mv rix, - @{bin}/locale-check rPx, - @{bin}/mktemp rix, - @{bin}/rm rix, @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @@ -57,12 +61,18 @@ profile sddm-xsession @{exec_path} { /etc/default/{,*} r, /etc/X11/{,**} r, - owner @{HOME}/.xsession-errors w, + owner @{HOME}/.xinputrc r, + owner @{HOME}/.xsession-errors rw, + @{HOME}/tmp.* rw, + + @{system_share_dirs}/im-config/data/{,*} r, + @{system_share_dirs}/im-config/xinputrc.common owner @{user_share_dirs}/sddm/xorg-session.log w, owner /tmp/xsess-env-* rw, owner /tmp/file* rw, + owner /tmp/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 6a95d46c..4d26e0a5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,6 +11,7 @@ profile startplasma @{exec_path} { include include include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, @@ -20,12 +21,17 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/env rix, + @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, + @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/knotifications{5,6}/{,**} r, @@ -33,10 +39,16 @@ profile startplasma @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, + /etc/locale.alias r, /etc/machine-id r, /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, - /etc/xdg/plasma-workspace/env/{,**} r, + /etc/xdg/plasma-workspace/env/{,*} r, + + /var/lib/flatpak/exports/share/mime/ r, + + @{HOME}/ r, + @{HOME}/.xsession-errors w, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, @@ -69,7 +81,9 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/maps r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index d1d068ae..e83223f1 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -22,12 +22,18 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), + @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chronyc rPUx, + @{bin}/chown rix, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @@ -52,15 +58,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /etc/NetworkManager/dispatcher.d/** rix, /etc/dhcp/dhclient-exit-hooks.d/ntp r, + # chown + / r, + /usr/share/tlp/{,**} rw, /etc/sysconfig/network/config r, /etc/fstab r, - @{run}/systemd/notify rw, - @{run}/tlp/{,*} rw, - @{run}/chrony-dhcp/ rw, - @{run}/ntp.conf.dhcp rw, + @{run}/chrony-dhcp/ rw, + @{run}/ntp.conf.dhcp rw, + @{run}/systemd/netif/leases/ r, + @{run}/systemd/notify rw, + @{run}/tlp/{,*} rw, + owner @{run}/ntp.conf.dhcp.@{rand6} rw, + owner /etc/ntp.conf r, @{sys}/class/net/ r, @@ -85,8 +97,11 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include + @{bin}/invoke-rc.d rm, @{sh_path} rix, + @{bin}/basename rix, @{bin}/ls rix, + # This doesn't seem to work, profile transition not found. @{bin}/systemctl rCx -> systemctl, / r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 5c9ced99..83f1ac55 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -67,6 +67,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { /etc/ r, @{etc_ro}/logrotate.conf rk, @{etc_ro}/logrotate.d/ r, + @{etc_ro}/rc*.d/ r, @{etc_ro}/logrotate.d/* rk, / r, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index b627eb46..ea16957a 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -20,6 +20,10 @@ profile usbguard @{exec_path} { # Needed to create policy (usbguard generate-policy) network netlink dgram, + unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}), + + # dbus: own bus=system name=org.usbguard1 + @{exec_path} mr, /etc/usbguard/*.conf rw, From d866e04e56ba45ab6a26ac8670078c86a2f55145 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 3 Mar 2024 12:43:04 +0100 Subject: [PATCH 2/5] Add KDE Neon to package tools Signed-off-by: Jeroen Rijken --- pkg/prebuild/prepare.go | 249 ++++++++++++++++++++++++++++++++++++++++ pkg/prebuild/tools.go | 145 +++++++++++++++++++++++ 2 files changed, 394 insertions(+) create mode 100644 pkg/prebuild/prepare.go create mode 100644 pkg/prebuild/tools.go diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go new file mode 100644 index 00000000..0b005802 --- /dev/null +++ b/pkg/prebuild/prepare.go @@ -0,0 +1,249 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prebuild + +import ( + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/arduino/go-paths-helper" + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +// Prepare the build directory with the following tasks +var ( + Prepares = []PrepareFunc{ + Synchronise, + Ignore, + Merge, + Configure, + SetFlags, + SetProfileSystemd, + } + PrepareMsg = map[string]string{ + "Synchronise": "Initialize a new clean apparmor.d build directory", + "Ignore": "Ignore profiles and files from:", + "Merge": "Merge all profiles", + "Configure": "Set distribution specificities", + "SetFlags": "Set flags on some profiles", + "SetProfileSystemd": "Use the systemd unit file to set a profile for a given unit", + "SetEarlySystemd": "Set systemd unit drop in files to ensure some service start after apparmor", + "SetFullSystemPolicy": "Configure AppArmor for full system policy", + } +) + +type PrepareFunc func() ([]string, error) + +// Initialize a new clean apparmor.d build directory +func Synchronise() ([]string, error) { + res := []string{} + dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")} + for _, dir := range dirs { + if err := dir.RemoveAll(); err != nil { + return res, err + } + } + for _, name := range []string{"apparmor.d", "root"} { + if err := copyTo(paths.New(name), Root.Join(name)); err != nil { + return res, err + } + } + return res, nil +} + +// Ignore profiles and files as defined in dists/ignore/ +func Ignore() ([]string, error) { + res := []string{} + for _, name := range []string{"main.ignore", Distribution + ".ignore"} { + path := DistDir.Join("ignore", name) + if !path.Exist() { + continue + } + lines, _ := path.ReadFileAsLines() + for _, line := range lines { + if strings.HasPrefix(line, "#") || line == "" { + continue + } + profile := Root.Join(line) + if profile.NotExist() { + files, err := RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(line)) + if err != nil { + return res, err + } + for _, path := range files { + if err := path.RemoveAll(); err != nil { + return res, err + } + } + } else { + if err := profile.RemoveAll(); err != nil { + return res, err + } + } + } + res = append(res, path.String()) + } + return res, nil +} + +// Merge all profiles in a new apparmor.d directory +func Merge() ([]string, error) { + res := []string{} + dirToMerge := []string{ + "groups/*/*", "groups", + "profiles-*-*/*", "profiles-*", + } + + idx := 0 + for idx < len(dirToMerge)-1 { + dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] + files, err := filepath.Glob(RootApparmord.Join(dirMoved).String()) + if err != nil { + return res, err + } + for _, file := range files { + err := os.Rename(file, RootApparmord.Join(filepath.Base(file)).String()) + if err != nil { + return res, err + } + } + + files, err = filepath.Glob(RootApparmord.Join(dirRemoved).String()) + if err != nil { + return []string{}, err + } + for _, file := range files { + if err := paths.New(file).RemoveAll(); err != nil { + return res, err + } + } + idx = idx + 2 + } + return res, nil +} + +// Set the distribution specificities +func Configure() ([]string, error) { + res := []string{} + switch Distribution { + case "arch", "opensuse": + + case "ubuntu", "neon": + debianOverwriteClean() + if overwrite { + profiles := getOverwriteProfiles() + debianOverwrite(profiles) + } else { + if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { + return res, err + } + } + case "debian", "whonix": + debianOverwriteClean() + + // Copy Debian specific abstractions + if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { + return res, err + } + + default: + return []string{}, fmt.Errorf("%s is not a supported distribution", Distribution) + + } + return res, nil +} + +// Set flags on some profiles according to manifest defined in `dists/flags/` +func SetFlags() ([]string, error) { + res := []string{} + for _, name := range []string{"main.flags", Distribution + ".flags"} { + path := FlagDir.Join(name) + if !path.Exist() { + continue + } + lines, _ := path.ReadFileAsLines() + for _, line := range lines { + if strings.HasPrefix(line, "#") || line == "" { + continue + } + manifest := strings.Split(line, " ") + profile := manifest[0] + file := RootApparmord.Join(profile) + if !file.Exist() { + logging.Warning("Profile %s not found", profile) + continue + } + + // If flags is set, overwrite profile flag + if len(manifest) > 1 { + flags := " flags=(" + manifest[1] + ") {" + content, err := file.ReadFile() + if err != nil { + return res, err + } + + // Remove all flags definition, then set manifest' flags + out := regFlags.ReplaceAllLiteralString(string(content), "") + out = regProfileHeader.ReplaceAllLiteralString(out, flags) + if err := file.WriteFile([]byte(out)); err != nil { + return res, err + } + } + } + res = append(res, path.String()) + } + return res, nil +} + +// Use the systemd unit file to set a profile for a given unit +func SetProfileSystemd() ([]string, error) { + return []string{}, copyTo(paths.New("systemd/default/"), Root.Join("systemd")) +} + +// Set systemd unit drop in files to ensure some service start after apparmor +func SetEarlySystemd() ([]string, error) { + return []string{}, copyTo(paths.New("systemd/early/"), Root.Join("systemd")) +} + +// Set AppArmor for (experimental) full system policy. +// See https://apparmor.pujol.io/full-system-policy/ +func SetFullSystemPolicy() ([]string, error) { + res := []string{} + // Install full system policy profiles + if err := copyTo(paths.New("apparmor.d/groups/_full/"), Root.Join("apparmor.d")); err != nil { + return res, err + } + + // Set systemd profile name + path := RootApparmord.Join("tunables/multiarch.d/system") + content, err := path.ReadFile() + if err != nil { + return res, err + } + out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) + out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1) + if err := path.WriteFile([]byte(out)); err != nil { + return res, err + } + + // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution + path = RootApparmord.Join("abstractions/gstreamer") + content, err = path.ReadFile() + if err != nil { + return res, err + } + out = string(content) + regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) + out = regFixConflictX.Replace(out) + if err := path.WriteFile([]byte(out)); err != nil { + return res, err + } + + // Set systemd unit drop-in files + return res, copyTo(paths.New("systemd/full/"), Root.Join("systemd")) +} diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go new file mode 100644 index 00000000..5550e73f --- /dev/null +++ b/pkg/prebuild/tools.go @@ -0,0 +1,145 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prebuild + +import ( + "os" + "strings" + + "github.com/arduino/go-paths-helper" + "golang.org/x/exp/slices" +) + +var ( + osReleaseFile = "/etc/os-release" + supportedDists = map[string][]string{ + "arch": {}, + "debian": {}, + "ubuntu": {"ubuntu", "neon"}, + "opensuse": {"suse", "opensuse-tumbleweed"}, + "whonix": {}, + } +) + +func NewOSRelease() map[string]string { + var lines []string + var err error + for _, name := range []string{osReleaseFile, "/usr/lib/os-release"} { + path := paths.New(name) + if path.Exist() { + lines, err = path.ReadFileAsLines() + if err != nil { + panic(err) + } + break + } + } + os := map[string]string{} + for _, line := range lines { + item := strings.Split(line, "=") + if len(item) == 2 { + os[item[0]] = strings.Trim(item[1], "\"") + } + } + return os +} + +func getSupportedDistribution() string { + dist, present := os.LookupEnv("DISTRIBUTION") + if present { + return dist + } + + os := NewOSRelease() + id := os["ID"] + if id == "ubuntu" { + return id + } + if id == "neon" { + return "ubuntu" + } + id_like := os["ID_LIKE"] + for main, based := range supportedDists { + if main == id || main == id_like { + return main + } else if slices.Contains(based, id) { + return main + } else if slices.Contains(based, id_like) { + return main + } + } + return id +} + +func copyTo(src *paths.Path, dst *paths.Path) error { + files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) + if err != nil { + return err + } + for _, file := range files { + destination, err := file.RelFrom(src) + if err != nil { + return err + } + destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } + if err := file.CopyTo(destination); err != nil { + return err + } + } + return nil +} + +// Overwrite upstream profile: rename our profile & hide upstream +func debianOverwrite(files []string) { + const ext = ".apparmor.d" + file, err := paths.New("debian/apparmor.d.hide").Append() + if err != nil { + panic(err) + } + for _, name := range files { + origin := RootApparmord.Join(name) + dest := RootApparmord.Join(name + ext) + if err := origin.Rename(dest); err != nil { + panic(err) + } + if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil { + panic(err) + } + } +} + +// Clean the debian/apparmor.d.hide file +func debianOverwriteClean() { + const debianHide = `# This file is generated by "make", all edit will be lost. + +/etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.sbin.cups-browsed +/etc/apparmor.d/usr.sbin.cupsd +/etc/apparmor.d/usr.sbin.rsyslogd +` + path := paths.New("debian/apparmor.d.hide") + if err := path.WriteFile([]byte(debianHide)); err != nil { + panic(err) + } +} + +// Get the list of upstream profiles to overwrite from dist/overwrite +func getOverwriteProfiles() []string { + res := []string{} + lines, err := DistDir.Join("overwrite").ReadFileAsLines() + if err != nil { + panic(err) + } + for _, line := range lines { + if strings.HasPrefix(line, "#") || line == "" { + continue + } + res = append(res, line) + } + return res +} From 8b3613fa481fd4f39ccffec863441b0a0d0b4d4a Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 28 Apr 2024 15:55:09 +0200 Subject: [PATCH 3/5] Various updates all over Signed-off-by: Jeroen Rijken --- apparmor.d/abstractions/bus/org.bluez | 13 +- .../bus/org.freedesktop.NetworkManager | 5 + .../abstractions/bus/org.freedesktop.UPower | 5 + apparmor.d/groups/_full/bwrap | 1 + .../groups/freedesktop/xdg-desktop-portal | 6 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 11 +- apparmor.d/groups/kde/kded | 40 ++- apparmor.d/groups/kde/ksmserver | 6 +- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/systemsettings | 13 +- apparmor.d/profiles-a-f/flatpak-app | 1 + debian/changelog | 12 + pkg/prebuild/prepare.go | 249 ------------------ pkg/prebuild/tools.go | 145 ---------- 14 files changed, 97 insertions(+), 411 deletions(-) delete mode 100644 pkg/prebuild/prepare.go delete mode 100644 pkg/prebuild/tools.go diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 780a4728..2417fb4e 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -5,21 +5,21 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} - member=UnregisterAgent + member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez @@ -27,6 +27,11 @@ member=RegisterProfile peer=(name=org.bluez, label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="{:*,org.bluez}", label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index f6fbb547..d37f276b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -67,4 +67,9 @@ member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 93c1aefb..3d0963ae 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -31,6 +31,11 @@ member=Introspect peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=DeviceAdded + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index cf3ea112..b470033f 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -14,6 +14,7 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ceea47f3..038b4059 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -62,9 +62,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/nautilus rPx, @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, - @{open_path} rPx -> child-open, + @{bin}/kreadconfig5 rPx, + @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{open_path} rPx -> child-open, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2bef6ae7..5ba9ef54 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -9,8 +9,17 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}kded-smart-helper profile kauth-kded-smart-helper @{exec_path} { include + include + include include + # dbus: own bus=system name=org.kde.kded.smart + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal + peer=(name=org.freedesktop.DBus, label=kded5), + @{exec_path} mr, @{bin}/smartctl rPx, @@ -18,4 +27,4 @@ profile kauth-kded-smart-helper @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 76330e00..c266a925 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -34,14 +34,11 @@ profile kded @{exec_path} { signal (send) set=hup peer=xsettingsd, - dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent - interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets - peer=(label=NetworkManager), + # dbus: own bus=system name=com.redhat.NewPrinterNotification dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets + member={GetSecrets,CancelGetSecrets} peer=(label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int} @@ -58,6 +55,30 @@ profile kded @{exec_path} { interface=org.freedesktop.NetworkManager.AgentManager peer=(label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + peer=(label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1.Manager + member=ListDevices + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus send bus=system path=/org/freedesktop/bolt{,/**} + interface=org.freedesktop.DBus.Properties + member=Get, + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal, + peer=(name=:*, label=kauth-kded-smart-helper), + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=performAction, + peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + @{exec_path} mrix, @{bin}/kcminit rPx, @@ -139,7 +160,7 @@ profile kded @{exec_path} { owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, @@ -200,3 +221,10 @@ profile kded @{exec_path} { include if exists } + +ALLOWED kded5 open owner @{user_cache_dirs}/update-manager-core/meta-release-lts comm=python3 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/kcmfonts comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/plasmavaultrc comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/touchpadxlibinputrc comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_lib_dirs}/python3.10/site-packages/ comm=python3 requested_mask=r denied_mask=r +ALLOWED kded5 open owner /tmp/#@{int} comm=python3 requested_mask=wr denied_mask=wr diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 4ae409ec..a1981e28 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -18,6 +18,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(usr1,term) peer=kscreenlocker-greet, + ptrace (read) peer=kbuildsycoca5, + unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), @{exec_path} mr, @@ -36,10 +38,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, - /etc/xdg/menus/applications-merged/ r, + /etc/xdg/menus/applications-merged/{,*} r, /etc/machine-id r, /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,*} r, /var/lib/flatpak/exports/share/mime/ r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9e1cf1a1..4afb95b0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -47,6 +47,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/ r, @{lib}/libheif/{,**} mr, @{lib}/kf5/kioslave5 rPx, + @{lib}/kf6/kioworker rPx, @{lib}/kf5/kdesu{,d} rix, @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index ad436e52..478dabbd 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include include include @@ -20,6 +21,8 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, + /usr/share/kglobalaccel/org.kde.krunner.desktop r, + /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kcm_networkmanagement/{,**} r, /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, @@ -29,10 +32,14 @@ profile systemsettings @{exec_path} { /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, + /usr/share/kinfocenter/{,**} r, + /usr/share/sddm/themes/{,**} r, + + /var/lib/flatpak/exports/share/mime/ r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -48,12 +55,16 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 1561e82c..fbdd9e74 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -45,6 +45,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(int) peer=flatpak-portal, @{bin}/** rmix, + #aa:exec kioworker @{lib}/** rmix, /app/** rmix, /var/lib/flatpak/app/*/**/@{bin}/** rmix, diff --git a/debian/changelog b/debian/changelog index 4ba7f268..d9c267e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +apparmor.d (0.1941-1) stable; urgency=medium + + * Release 0.1941-1 + + -- Alexandre Pujol Sat, 02 Mar 2024 17:48:31 +0100 + +apparmor.d (0.1941-1) stable; urgency=medium + + * Release 0.1941-1 + + -- Alexandre Pujol Sat, 02 Mar 2024 17:45:31 +0100 + apparmor.d (0.001-1) stable; urgency=medium * Release 0.001-1 diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go deleted file mode 100644 index 0b005802..00000000 --- a/pkg/prebuild/prepare.go +++ /dev/null @@ -1,249 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "fmt" - "os" - "path/filepath" - "strings" - - "github.com/arduino/go-paths-helper" - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -// Prepare the build directory with the following tasks -var ( - Prepares = []PrepareFunc{ - Synchronise, - Ignore, - Merge, - Configure, - SetFlags, - SetProfileSystemd, - } - PrepareMsg = map[string]string{ - "Synchronise": "Initialize a new clean apparmor.d build directory", - "Ignore": "Ignore profiles and files from:", - "Merge": "Merge all profiles", - "Configure": "Set distribution specificities", - "SetFlags": "Set flags on some profiles", - "SetProfileSystemd": "Use the systemd unit file to set a profile for a given unit", - "SetEarlySystemd": "Set systemd unit drop in files to ensure some service start after apparmor", - "SetFullSystemPolicy": "Configure AppArmor for full system policy", - } -) - -type PrepareFunc func() ([]string, error) - -// Initialize a new clean apparmor.d build directory -func Synchronise() ([]string, error) { - res := []string{} - dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { - return res, err - } - } - for _, name := range []string{"apparmor.d", "root"} { - if err := copyTo(paths.New(name), Root.Join(name)); err != nil { - return res, err - } - } - return res, nil -} - -// Ignore profiles and files as defined in dists/ignore/ -func Ignore() ([]string, error) { - res := []string{} - for _, name := range []string{"main.ignore", Distribution + ".ignore"} { - path := DistDir.Join("ignore", name) - if !path.Exist() { - continue - } - lines, _ := path.ReadFileAsLines() - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - profile := Root.Join(line) - if profile.NotExist() { - files, err := RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(line)) - if err != nil { - return res, err - } - for _, path := range files { - if err := path.RemoveAll(); err != nil { - return res, err - } - } - } else { - if err := profile.RemoveAll(); err != nil { - return res, err - } - } - } - res = append(res, path.String()) - } - return res, nil -} - -// Merge all profiles in a new apparmor.d directory -func Merge() ([]string, error) { - res := []string{} - dirToMerge := []string{ - "groups/*/*", "groups", - "profiles-*-*/*", "profiles-*", - } - - idx := 0 - for idx < len(dirToMerge)-1 { - dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(RootApparmord.Join(dirMoved).String()) - if err != nil { - return res, err - } - for _, file := range files { - err := os.Rename(file, RootApparmord.Join(filepath.Base(file)).String()) - if err != nil { - return res, err - } - } - - files, err = filepath.Glob(RootApparmord.Join(dirRemoved).String()) - if err != nil { - return []string{}, err - } - for _, file := range files { - if err := paths.New(file).RemoveAll(); err != nil { - return res, err - } - } - idx = idx + 2 - } - return res, nil -} - -// Set the distribution specificities -func Configure() ([]string, error) { - res := []string{} - switch Distribution { - case "arch", "opensuse": - - case "ubuntu", "neon": - debianOverwriteClean() - if overwrite { - profiles := getOverwriteProfiles() - debianOverwrite(profiles) - } else { - if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { - return res, err - } - } - case "debian", "whonix": - debianOverwriteClean() - - // Copy Debian specific abstractions - if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { - return res, err - } - - default: - return []string{}, fmt.Errorf("%s is not a supported distribution", Distribution) - - } - return res, nil -} - -// Set flags on some profiles according to manifest defined in `dists/flags/` -func SetFlags() ([]string, error) { - res := []string{} - for _, name := range []string{"main.flags", Distribution + ".flags"} { - path := FlagDir.Join(name) - if !path.Exist() { - continue - } - lines, _ := path.ReadFileAsLines() - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - manifest := strings.Split(line, " ") - profile := manifest[0] - file := RootApparmord.Join(profile) - if !file.Exist() { - logging.Warning("Profile %s not found", profile) - continue - } - - // If flags is set, overwrite profile flag - if len(manifest) > 1 { - flags := " flags=(" + manifest[1] + ") {" - content, err := file.ReadFile() - if err != nil { - return res, err - } - - // Remove all flags definition, then set manifest' flags - out := regFlags.ReplaceAllLiteralString(string(content), "") - out = regProfileHeader.ReplaceAllLiteralString(out, flags) - if err := file.WriteFile([]byte(out)); err != nil { - return res, err - } - } - } - res = append(res, path.String()) - } - return res, nil -} - -// Use the systemd unit file to set a profile for a given unit -func SetProfileSystemd() ([]string, error) { - return []string{}, copyTo(paths.New("systemd/default/"), Root.Join("systemd")) -} - -// Set systemd unit drop in files to ensure some service start after apparmor -func SetEarlySystemd() ([]string, error) { - return []string{}, copyTo(paths.New("systemd/early/"), Root.Join("systemd")) -} - -// Set AppArmor for (experimental) full system policy. -// See https://apparmor.pujol.io/full-system-policy/ -func SetFullSystemPolicy() ([]string, error) { - res := []string{} - // Install full system policy profiles - if err := copyTo(paths.New("apparmor.d/groups/_full/"), Root.Join("apparmor.d")); err != nil { - return res, err - } - - // Set systemd profile name - path := RootApparmord.Join("tunables/multiarch.d/system") - content, err := path.ReadFile() - if err != nil { - return res, err - } - out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) - out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = RootApparmord.Join("abstractions/gstreamer") - content, err = path.ReadFile() - if err != nil { - return res, err - } - out = string(content) - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Set systemd unit drop-in files - return res, copyTo(paths.New("systemd/full/"), Root.Join("systemd")) -} diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go deleted file mode 100644 index 5550e73f..00000000 --- a/pkg/prebuild/tools.go +++ /dev/null @@ -1,145 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "os" - "strings" - - "github.com/arduino/go-paths-helper" - "golang.org/x/exp/slices" -) - -var ( - osReleaseFile = "/etc/os-release" - supportedDists = map[string][]string{ - "arch": {}, - "debian": {}, - "ubuntu": {"ubuntu", "neon"}, - "opensuse": {"suse", "opensuse-tumbleweed"}, - "whonix": {}, - } -) - -func NewOSRelease() map[string]string { - var lines []string - var err error - for _, name := range []string{osReleaseFile, "/usr/lib/os-release"} { - path := paths.New(name) - if path.Exist() { - lines, err = path.ReadFileAsLines() - if err != nil { - panic(err) - } - break - } - } - os := map[string]string{} - for _, line := range lines { - item := strings.Split(line, "=") - if len(item) == 2 { - os[item[0]] = strings.Trim(item[1], "\"") - } - } - return os -} - -func getSupportedDistribution() string { - dist, present := os.LookupEnv("DISTRIBUTION") - if present { - return dist - } - - os := NewOSRelease() - id := os["ID"] - if id == "ubuntu" { - return id - } - if id == "neon" { - return "ubuntu" - } - id_like := os["ID_LIKE"] - for main, based := range supportedDists { - if main == id || main == id_like { - return main - } else if slices.Contains(based, id) { - return main - } else if slices.Contains(based, id_like) { - return main - } - } - return id -} - -func copyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) - if err != nil { - return err - } - for _, file := range files { - destination, err := file.RelFrom(src) - if err != nil { - return err - } - destination = dst.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return err - } - if err := file.CopyTo(destination); err != nil { - return err - } - } - return nil -} - -// Overwrite upstream profile: rename our profile & hide upstream -func debianOverwrite(files []string) { - const ext = ".apparmor.d" - file, err := paths.New("debian/apparmor.d.hide").Append() - if err != nil { - panic(err) - } - for _, name := range files { - origin := RootApparmord.Join(name) - dest := RootApparmord.Join(name + ext) - if err := origin.Rename(dest); err != nil { - panic(err) - } - if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil { - panic(err) - } - } -} - -// Clean the debian/apparmor.d.hide file -func debianOverwriteClean() { - const debianHide = `# This file is generated by "make", all edit will be lost. - -/etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.sbin.cups-browsed -/etc/apparmor.d/usr.sbin.cupsd -/etc/apparmor.d/usr.sbin.rsyslogd -` - path := paths.New("debian/apparmor.d.hide") - if err := path.WriteFile([]byte(debianHide)); err != nil { - panic(err) - } -} - -// Get the list of upstream profiles to overwrite from dist/overwrite -func getOverwriteProfiles() []string { - res := []string{} - lines, err := DistDir.Join("overwrite").ReadFileAsLines() - if err != nil { - panic(err) - } - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - res = append(res, line) - } - return res -} From c40bdcece7e01e1e1be635e5ea3799ce280e5b11 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 28 Apr 2024 16:15:00 +0200 Subject: [PATCH 4/5] Remove temp Signed-off-by: Jeroen Rijken --- apparmor.d/groups/kde/kded | 7 ------- debian/changelog | 12 ------------ 2 files changed, 19 deletions(-) diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c266a925..46fcd5df 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -221,10 +221,3 @@ profile kded @{exec_path} { include if exists } - -ALLOWED kded5 open owner @{user_cache_dirs}/update-manager-core/meta-release-lts comm=python3 requested_mask=r denied_mask=r -ALLOWED kded5 open owner @{user_config_dirs}/kcmfonts comm=kded5 requested_mask=r denied_mask=r -ALLOWED kded5 open owner @{user_config_dirs}/plasmavaultrc comm=kded5 requested_mask=r denied_mask=r -ALLOWED kded5 open owner @{user_config_dirs}/touchpadxlibinputrc comm=kded5 requested_mask=r denied_mask=r -ALLOWED kded5 open owner @{user_lib_dirs}/python3.10/site-packages/ comm=python3 requested_mask=r denied_mask=r -ALLOWED kded5 open owner /tmp/#@{int} comm=python3 requested_mask=wr denied_mask=wr diff --git a/debian/changelog b/debian/changelog index d9c267e7..4ba7f268 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,15 +1,3 @@ -apparmor.d (0.1941-1) stable; urgency=medium - - * Release 0.1941-1 - - -- Alexandre Pujol Sat, 02 Mar 2024 17:48:31 +0100 - -apparmor.d (0.1941-1) stable; urgency=medium - - * Release 0.1941-1 - - -- Alexandre Pujol Sat, 02 Mar 2024 17:45:31 +0100 - apparmor.d (0.001-1) stable; urgency=medium * Release 0.001-1 From e8eadcc7ecc4060d402b5649d4037547ffdb403c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 28 Apr 2024 16:25:37 +0200 Subject: [PATCH 5/5] Cleanup Signed-off-by: Jeroen Rijken --- apparmor.d/groups/kde/kded | 6 +++--- apparmor.d/groups/kde/plasmashell | 2 -- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/profiles-a-f/flatpak-app | 4 +--- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 46fcd5df..be586349 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -66,17 +66,17 @@ profile kded @{exec_path} { dbus send bus=system path=/org/freedesktop/bolt{,/**} interface=org.freedesktop.DBus.Properties - member=Get, + member=Get peer=(name="{:*,org.freedesktop.bolt}", label=boltd), dbus receive bus=system path=/ interface=org.kde.kf5auth - member=remoteSignal, + member=remoteSignal peer=(name=:*, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth - member=performAction, + member=performAction peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 4afb95b0..dc64e6be 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -46,8 +46,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/ r, @{lib}/libheif/{,**} mr, - @{lib}/kf5/kioslave5 rPx, - @{lib}/kf6/kioworker rPx, @{lib}/kf5/kdesu{,d} rix, @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 393f1cf4..52f0903b 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -66,7 +66,7 @@ profile sddm-xsession @{exec_path} { @{HOME}/tmp.* rw, @{system_share_dirs}/im-config/data/{,*} r, - @{system_share_dirs}/im-config/xinputrc.common + @{system_share_dirs}/im-config/xinputrc.common r, owner @{user_share_dirs}/sddm/xorg-session.log w, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index fbdd9e74..3acff92b 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -45,7 +45,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(int) peer=flatpak-portal, @{bin}/** rmix, - #aa:exec kioworker @{lib}/** rmix, /app/** rmix, /var/lib/flatpak/app/*/**/@{bin}/** rmix, @@ -56,8 +55,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, - @{lib}/kf5/kioslave5 rPx, - @{lib}/kf6/kioworker rPx, + #aa:exec kioworker /var/lib/flatpak/app/{,**} r,