From e845a172c2d204d5bbebf20e817b5a631123eca9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 26 Apr 2022 22:05:29 +0100 Subject: [PATCH] feat: update profiles. --- apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/bus/ibus-dconf | 1 + .../gnome/evolution-addressbook-factory | 2 +- .../groups/gnome/evolution-calendar-factory | 2 +- .../groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gdm-wayland-session | 16 +++++++------- apparmor.d/groups/gnome/gjs-console | 5 +---- apparmor.d/groups/gnome/gnome-calendar | 2 ++ apparmor.d/groups/gnome/gnome-contacts | 2 +- apparmor.d/groups/gnome/gnome-control-center | 9 +++----- .../gnome/gnome-control-center-print-renderer | 10 +++------ apparmor.d/groups/gnome/gnome-disks | 5 ++--- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-music | 11 +++++----- apparmor.d/groups/gnome/gnome-session-binary | 9 +++----- apparmor.d/groups/gnome/gnome-shell | 5 +---- apparmor.d/groups/gnome/nautilus | 8 +++---- apparmor.d/groups/gnome/seahorse | 4 ++-- apparmor.d/groups/gpg/gpg-agent | 16 +++++++------- apparmor.d/groups/gvfs/gvfsd-trash | 22 +++++++++---------- apparmor.d/groups/pacman/pacman | 6 +++-- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-udevd | 10 ++++----- apparmor.d/profiles-a-f/atd | 1 + apparmor.d/profiles-a-f/etckeeper | 12 +++++----- apparmor.d/profiles-m-r/mandb | 2 +- apparmor.d/profiles-m-r/mount | 12 +++------- apparmor.d/profiles-s-z/sudo | 1 + 28 files changed, 84 insertions(+), 96 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 260c3b26..6fe7210b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -96,6 +96,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/firefox/{,**} r, /etc/fstab r, + /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, /etc/mailcap r, /etc/mime.types r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 895a174e..562dde20 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -31,6 +31,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.cache/dconf/ w, + /var/lib/gdm/.cache/dconf/user rw, /var/lib/gdm/.config/dconf/user rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a5b62015..80c000eb 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include include include include @@ -26,7 +27,6 @@ profile evolution-addressbook-factory @{exec_path} { owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2c813671..a62f2048 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include include include include @@ -28,7 +29,6 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index bc845688..c9ee74c5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/evolution-source-registry profile evolution-source-registry @{exec_path} { include + include include include include @@ -27,7 +28,6 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 76ead06c..c2e0d559 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include @@ -22,11 +23,11 @@ profile gdm-wayland-session @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/grep rix, /{usr/,}bin/gnome-session rix, + /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, @@ -42,14 +43,13 @@ profile gdm-wayland-session @{exec_path} { @{run}/gdm/custom.conf r, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + @{run}/gdm/custom.conf r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - # file_inherit /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index abec60de..f6ff3f02 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -32,7 +33,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/gnome-shell/{,**} r, /usr/share/X11/xkb/** r, @@ -49,9 +49,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, - @{sys}/devices/pci[0-9]*/**/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, @{sys}/devices/pci[0-9]*/**/revision r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 43801fa1..01270d59 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -29,5 +29,7 @@ profile gnome-calendar @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + @{PROC}/sys/dev/i915/perf_stream_paranoid r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index abe956d3..fd682a6b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -18,13 +18,13 @@ profile gnome-contacts @{exec_path} { include include include + include network netlink raw, @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 29e78d17..0321848a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,6 +10,7 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -20,6 +21,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -36,13 +38,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/locale rix, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, + /{usr/,}lib/gnome-control-center-goa-helper rPx, /{usr/,}lib/gnome-control-center-print-renderer rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/backgrounds/gnome/* r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth/{,**} r, /usr/share/gnome-color-manager/{,**} r, @@ -74,10 +76,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, @@ -98,9 +98,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/input/ r, @{sys}/devices/**/{name,vendor,product,uevent} r, - @{sys}/devices/pci[0-9]*/**/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, @{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index beaf1999..05523460 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,18 +9,19 @@ include @{exec_path} = /{usr/,}lib/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include include include include include include + include @{exec_path} mr, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, /usr/share/pixmaps/{,**} r, @@ -31,15 +32,10 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, - @{sys}/devices/pci[0-9]*/**/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, @{sys}/devices/pci[0-9]*/**/revision r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index b3b6e7fc..a1b86d6e 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,20 +9,19 @@ include @{exec_path} = /{usr/,}bin/gnome-disks profile gnome-disks @{exec_path} { include + include include - include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index f40b5d2c..8a585a81 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -31,7 +31,7 @@ profile gnome-keyring-daemon @{exec_path} { owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, - @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 5efb5434..5184c079 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,13 +10,16 @@ include profile gnome-music @{exec_path} { include include + include include include + include include include include include include + include network inet stream, network inet6 stream, @@ -44,14 +47,12 @@ profile gnome-music @{exec_path} { owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, - owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, - - @{run}/systemd/inhibit/[0-9]*.ref rw, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + + owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 819497c3..df61111c 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -13,6 +13,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -73,7 +74,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/applications/{,**} r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, @@ -86,9 +86,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - - /tmp/.ICE-unix/[0-9]* rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, @@ -98,6 +95,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, + /tmp/.ICE-unix/[0-9]* rw, + @{sys}/devices/**/{vendor,device} r, @{sys}/devices/pci[0-9]*/**/revision r, @@ -106,9 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/cmdline r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - /dev/null r, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index db59b51a..a7de2557 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -22,6 +22,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, capability sys_ptrace, @@ -51,7 +52,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/gnome-shell/{,**} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput/ r, @@ -158,9 +158,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, - @{sys}/devices/pci[0-9]*/**/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, @{sys}/devices/pci[0-9]*/**/revision r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5c9a2a16..12019bf1 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -44,10 +44,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pids}/net/wireless r, - @{run}/mount/utab r, @{run}/systemd/userdb/ r, @@ -56,6 +52,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pids}/net/wireless r, + /dev/tty rw, /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 51315688..a9a36e9b 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include + include include include include @@ -24,11 +25,10 @@ profile seahorse @{exec_path} { # Seahorse and SSH keys owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 3b7dcea6..38ba5378 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -26,53 +26,53 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner /var/lib/*/.gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, owner /tmp/tmp.*/gnupg/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner /tmp/tmp.*/gnupg/S.gpg-agent rw, + owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 545f5a3d..196a07e8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,8 +11,8 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include - include include + include include # When mounting a SMB share @@ -21,17 +21,17 @@ profile gvfsd-trash @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - @{run}/mount/utab r, - - owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, - # Can restore all user files owner @{HOME}/{,**} rw, owner @{MOUNTS}/*/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-* rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index facdc583..78909b73 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -37,6 +37,8 @@ profile pacman @{exec_path} { unix (receive) type=stream, + ptrace (read), + @{exec_path} mr, /{usr/,}bin/gpg rCx -> gpg, @@ -117,10 +119,10 @@ profile pacman @{exec_path} { owner /tmp/checkup-db-[0-9]*/db.lck rw, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, + @{PROC}/sys/kernel/osrelease r, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 6566ad3b..fbed03e5 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -43,7 +43,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c10:224 r, # for /dev/tpm0 - @{run}/udev/data/c243:0 r, + @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+pci:* r, @{run}/udev/data/+hid:* r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 5f2020af..196007a5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -49,11 +49,11 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, - /{usr/,}lib/udev/* rPUx, - /{usr/,}lib/systemd/systemd-* rPUx, - /{usr/,}lib/crda/* rPUx, - - /{usr,/}lib/pm-utils/power.d/* rPUx, + /{usr/,}lib/udev/* rPUx, + /{usr/,}lib/systemd/systemd-* rPx, + /{usr/,}lib/crda/* rPUx, + /{usr/,}lib/gdm-runtime-config rPx, + /{usr,/}lib/pm-utils/power.d/* PUx, /usr/share/hplip/config_usb_printer.py rPUx, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 8521bab8..a25a1159 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -14,6 +14,7 @@ profile atd @{exec_path} { capability audit_write, capability chown, + capability dac_override, capability dac_read_search, capability setgid, capability setuid, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index d578d0a1..79756895 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/etckeeper profile etckeeper @{exec_path} { include + include include capability dac_read_search, @@ -20,20 +21,23 @@ profile etckeeper @{exec_path} { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/chmod rix, /{usr/,}bin/cut rix, + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/find rix, /{usr/,}bin/getent rix, /{usr/,}bin/git* rix, - /{usr/,}lib/git-core/git* rix, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/hostname rix, + /{usr/,}bin/mkdir rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/perl rix, + /{usr/,}bin/ps rPx, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, /{usr/,}bin/uniq rix, /{usr/,}bin/whoami rix, + /{usr/,}lib/git-core/git* rix, /etc/.git/hooks/* rix, /etc/etckeeper/*.d/* rix, @@ -42,6 +46,8 @@ profile etckeeper @{exec_path} { /etc/ rw, /etc/** rwkl -> /etc/**, + /var/cache/etckeeper/{,**} rw, + owner @{HOME}/.gitconfig* r, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, @@ -61,11 +67,7 @@ profile etckeeper @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{PROC}/@{pid}/fd/ r, - owner @{user_config_dirs}/dotfiles/@{XDG_GPG_DIR}/** rwkl, # to remove, to depracate - - # owner /tmp/.git_vtag_tmp* r, - # deny @{user_share_dirs}/gvfs-metadata/* r, } include if exists diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 24d0a66d..c2b04c09 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) { /usr/{,/share}/man/{,**} r, /usr/local/{,/share/}/man/{,**} r, - /usr/share/*/man/man[0-9]*/*.[0-9]*.gz r, + /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, include if exists } diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 5d3647f4..fe13d31a 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -14,17 +14,11 @@ profile mount @{exec_path} flags=(complain) { include capability chown, - - # To be able to mount anything - # mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted) - # write(2, "/mnt: permission denied.", 24) = 24 - capability sys_admin, - - # For NTFS mounts + capability dac_read_search, capability setgid, capability setuid, - - capability dac_read_search, + capability sys_admin, + capability sys_rawio, mount, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c80f4638..c5a7aed5 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -47,6 +47,7 @@ profile sudo @{exec_path} { @{PATH}/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, + /{usr/,}lib/molly-guard/molly-guard rPx, /etc/environment r, /etc/machine-id r,