From e7fbf5fbef6b1e0b575552e8619f5c0a74e3ac81 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Oct 2022 18:03:23 +0100 Subject: [PATCH] feat(profiles): better ubuntu integration. --- apparmor.d/groups/bus/ibus-daemon | 3 +- apparmor.d/groups/freedesktop/colord | 5 +++ apparmor.d/groups/gnome/gnome-shell | 4 +++ apparmor.d/profiles-m-r/mission-control | 2 -- apparmor.d/profiles-m-r/packagekitd | 43 +++++++++++++++++++++++-- apparmor.d/profiles-s-z/snapd | 2 ++ 6 files changed, 54 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index e95977c8..d013b41d 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -45,8 +45,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/ibus/ibus-* rPx, @{libexec}/ibus-* rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}lib/ibus/ibus-* rPx, /usr/share/ibus/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c6177d79..71d92b16 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -44,6 +44,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=colord), + dbus bind bus=system name=org.freedesktop.ColorManager, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index baf833e1..84fa67f3 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,6 +198,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=JobRemoved peer=(name=:*), + dbus send bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,login[0-9].{Manager,Session}} + peer=(name=:*, label=systemd-logind), + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index d50ad958..436ebd75 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -14,8 +14,6 @@ profile mission-control @{exec_path} { network netlink raw, @{exec_path} mr, - @{libexec}/* rPUx, # FIXME: Needed ? - /usr/share/telepathy/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index a3f7c235..21db8fb7 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -6,12 +6,16 @@ abi , include -@{exec_path} = /{usr/,}lib/packagekitd +@{exec_path} = @{libexec}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include - include + include include include + include + include if exists + + capability sys_nice, network inet stream, network inet6 stream, @@ -19,8 +23,42 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-shell), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions + peer=(name=:*, label=NetworkManager), + + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=polkitd), + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed + peer=(name=:*, label=polkitd), + + dbus bind bus=system name= org.freedesktop.PackageKit, + @{exec_path} mr, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, @@ -42,6 +80,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, profile gpg { diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index f16c2042..7a97089a 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -27,6 +27,7 @@ profile snapd @{exec_path} { capability setgid, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet stream, @@ -39,6 +40,7 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-[0-9]*/, umount /snap/*/[0-9]*/, + ptrace (read) peer=snap, ptrace (read) peer=unconfined, dbus send bus=system path=/org/freedesktop/timedate1