mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(opensuse): final opensuse integration.

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-04 23:55:14 +00:00
parent 609097ef27
commit e93e80ee20
Failed to generate hash of commit
20 changed files with 80 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/gpg/gpgconf
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -17,7 +18,7 @@ profile gpgconf @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/gpg-connect-agent rPx, /{usr/,}bin/gpg-connect-agent rPx,
/{usr/,}bin/gpg rPUx, /{usr/,}bin/gpg{,2} rPUx,
/{usr/,}bin/gpg-agent rPx, /{usr/,}bin/gpg-agent rPx,
/{usr/,}bin/dirmngr rPx, /{usr/,}bin/dirmngr rPx,
/{usr/,}bin/gpgsm rPx, /{usr/,}bin/gpgsm rPx,
@ -25,6 +26,8 @@ profile gpgconf @{exec_path} {
/{usr/,}bin/pinentry-* rPx, /{usr/,}bin/pinentry-* rPx,
/etc/gcrypt/hwf.deny r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/ w,
owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**, owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**,

3
apparmor.d/groups/gpg/gpgsm
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,6 +16,8 @@ profile gpgsm @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/gcrypt/hwf.deny r,
deny /usr/bin/.gnupg/ w, deny /usr/bin/.gnupg/ w,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

2
apparmor.d/groups/systemd/localectl
View file

@ -11,6 +11,8 @@ profile localectl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager,

14
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -35,6 +35,12 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/.#hostname* rw,
/etc/.#machine-info?????? rw,
/etc/hostname rw,
/etc/machine-info rw,
@{run}/systemd/default-hostname rw,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{run}/udev/data/+dmi:id r, @{run}/udev/data/+dmi:id r,
@ -46,15 +52,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/uevent r, @{sys}/devices/virtual/dmi/id/uevent r,
@{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/dmi/entries/*/raw r,
/etc/.#hostname* rw,
/etc/.#machine-info?????? rw,
/etc/hostname rw,
/etc/machine-info rw,
@{run}/udev/data/+dmi:id r,
include if exists <local/systemd-hostnamed> include if exists <local/systemd-hostnamed>
} }

1
apparmor.d/groups/systemd/systemd-localed
View file

@ -31,6 +31,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/usr/share/kbd/keymaps/{,**} r,
/usr/share/systemd/language-fallback-map r, /usr/share/systemd/language-fallback-map r,
/usr/share/X11/xkb/rules/evdev r, /usr/share/X11/xkb/rules/evdev r,

1
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -19,6 +19,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
capability fsetid, capability fsetid,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability syslog,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-xdg-autostart-generator
View file

@ -16,7 +16,7 @@ profile systemd-xdg-autostart-generator @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/xdg/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r,
owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r,
owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,

4
apparmor.d/groups/virt/cockpit-session
View file

@ -25,10 +25,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,z,ba,da}sh rix, /{usr/,}bin/{,z,ba,da}sh rix,
/{usr/,}bin/cockpit-bridge rPx, /{usr/,}bin/cockpit-bridge rPx,
/etc/environment r, @{etc_ro}/environment r,
/etc/group r, /etc/group r,
/etc/motd r, /etc/motd r,
/etc/security/limits.d/{,*.conf} r, @{etc_ro}/security/limits.d/{,*.conf} r,
/etc/shells r, /etc/shells r,
@{run}/faillock/[a-zA-z0-9]* rwk, @{run}/faillock/[a-zA-z0-9]* rwk,

2
apparmor.d/profiles-a-f/agetty
View file

@ -17,6 +17,8 @@ profile agetty @{exec_path} {
capability sys_tty_config, capability sys_tty_config,
capability chown, capability chown,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/login rPx, /{usr/,}bin/login rPx,

1
apparmor.d/profiles-a-f/fwupd
View file

@ -87,6 +87,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/boot/EFI/*/.goutputstream-* rw, /boot/EFI/*/.goutputstream-* rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx[0-9]*.efi rw, /boot/EFI/*/fwupdx[0-9]*.efi rw,
@{libexec}/fwupd/efi/fwupdx[0-9]*.efi r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

1
apparmor.d/profiles-g-l/htop
View file

@ -79,6 +79,7 @@ profile htop @{exec_path} {
@{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/wchan r, @{PROC}/@{pids}/task/@{tid}/wchan r,
@{sys}/bus/i2c/devices/ r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,

5
apparmor.d/profiles-g-l/irqbalance
View file

@ -10,6 +10,10 @@ include <tunables/global>
profile irqbalance @{exec_path} { profile irqbalance @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability setpcap,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{run}/irqbalance/irqbalance[0-9]*.sock w, @{run}/irqbalance/irqbalance[0-9]*.sock w,
@ -25,6 +29,7 @@ profile irqbalance @{exec_path} {
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/ r, @{sys}/devices/system/node/node[0-9]*/ r,
@{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r, @{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r,
@{sys}/devices/system/cpu/nohz_full r,
@{PROC}/interrupts r, @{PROC}/interrupts r,
@{PROC}/irq/[0-9]*/node r, @{PROC}/irq/[0-9]*/node r,

2
apparmor.d/profiles-g-l/kmod
View file

@ -26,7 +26,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/false rix, /{usr/,}bin/false rix,
/{usr/,}bin/sysctl rPx, /{usr/,}{s,}bin/sysctl rPx,
/{usr/,}bin/true rix, /{usr/,}bin/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r, /{usr/,}lib/modprobe.d/{,*.conf} r,

21
apparmor.d/profiles-g-l/logrotate
View file

@ -29,21 +29,22 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
/{usr/,}{s,}bin/ r, /{usr/,}{s,}bin/ r,
/{usr/,}{s,}bin/invoke-rc.d rix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,
/{usr/,}bin/shred rix, /{usr/,}bin/gzip rix,
/{usr/,}bin/kill rix, /{usr/,}bin/kill rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/shred rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix, /{usr/,}bin/zstd rix,
/{usr/,}{s,}bin/invoke-rc.d rix,
/{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix,
/{usr/,}bin/fail2ban-client rPx, /{usr/,}bin/fail2ban-client rPx,
/{usr/,}bin/systemd-tty-ask-password-agent rPx,
/{usr/,}bin/my_print_defaults rPUx, /{usr/,}bin/my_print_defaults rPUx,
/{usr/,}bin/mysqladmin rPUx, /{usr/,}bin/mysqladmin rPUx,
/{usr/,}bin/systemd-tty-ask-password-agent rPx,
/{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,
# no new privs # no new privs
@ -59,22 +60,20 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{run}/systemd/private rw,
/etc/ r, /etc/ r,
/etc/logrotate.conf rk, /etc/logrotate.conf rk,
/etc/logrotate.d/ r, /etc/logrotate.d/ r,
/etc/logrotate.d/* rk, /etc/logrotate.d/* rk,
/var/lib/logrotate/status rwk,
/var/lib/logrotate/status.tmp rw,
/var/lib/logrotate.status rwk,
/var/lib/logrotate.status.tmp rw,
/ r, / r,
/var/log{,.hdd}/ r, /var/log{,.hdd}/ r,
/var/log{,.hdd}/** rw, /var/log{,.hdd}/** rw,
/var/lib/{,misc/}logrotate/status rwk,
/var/lib/{,misc/}logrotate/status.tmp rw,
/var/lib/{,misc/}logrotate.status rwk,
/var/lib/{,misc/}logrotate.status.tmp rw,
@{run}/systemd/private rw, @{run}/systemd/private rw,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

24
apparmor.d/profiles-m-r/packagekitd
View file

@ -88,17 +88,22 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/echo rix, /{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix, /{usr/,}bin/gdbus rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/ischroot rix, /{usr/,}bin/ischroot rix,
/{usr/,}bin/repo2solv rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/appstreamcli rPx, /{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/systemd-inhibit rPx,
/{usr/,}bin/update-desktop-database rPx, /{usr/,}bin/update-desktop-database rPx,
/{usr/,}lib/apt/methods/* rPx, /{usr/,}lib/apt/methods/* rPx,
/{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/update-notifier/update-motd-updates-available rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx,
/{usr/,}lib/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
/usr/share/libalpm/scripts/* rPx, /usr/share/libalpm/scripts/* rPx,
# Install/update packages # Install/update packages
@ -113,11 +118,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
owner /tmp/packagekit* rw, owner /tmp/packagekit* rw,
@{run}/zypp.pid rwk, # only: opensuse
@{run}/systemd/inhibit/*.ref rw, @{run}/systemd/inhibit/*.ref rw,
owner @{run}/systemd/users/@{uid} r, owner @{run}/systemd/users/@{uid} r,
@{sys}/**/ r,
@{sys}/devices/**/modalias r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@ -131,11 +141,21 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr, /{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/scdaemon rix,
/etc/gcrypt/hwf.deny r,
@{HOME}/@{XDG_GPG_DIR}/*.conf r, @{HOME}/@{XDG_GPG_DIR}/*.conf r,
owner /etc/pacman.d/gnupg/ r, owner /etc/pacman.d/gnupg/ r, # only: arch
owner /etc/pacman.d/gnupg/** rwkl -> /tmp/ostree-gpg-*/**, owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,
owner /var/tmp/zypp.*/zypp-trusted-*/ r, # only: opensuse
owner /var/tmp/zypp.*/zypp-trusted-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
} }

6
apparmor.d/profiles-m-r/pam/mappings
View file

@ -19,7 +19,7 @@
capability setgid, capability setgid,
capability setuid, capability setuid,
/etc/default/su r, /etc/default/su r,
/etc/environment r, @{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w, @{HOMEDIRS}/.xauth* w,
/{usr/,}bin/{,b,d,rb}ash Px -> default_user, /{usr/,}bin/{,b,d,rb}ash Px -> default_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> default_user, /{usr/,}bin/{c,k,tc,z}sh Px -> default_user,
@ -41,7 +41,7 @@
/{usr/,}bin/{c,k,tc,z}sh Px -> confined_user, /{usr/,}bin/{c,k,tc,z}sh Px -> confined_user,
/etc/default/su r, /etc/default/su r,
/etc/environment r, @{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w, @{HOMEDIRS}/.xauth* w,
} }
@ -63,7 +63,7 @@
/{usr/,}bin/{c,k,tc,z}sh Ux, /{usr/,}bin/{c,k,tc,z}sh Ux,
/etc/default/su r, /etc/default/su r,
/etc/environment r, @{etc_ro}/environment r,
@{HOMEDIRS}/.xauth* w, @{HOMEDIRS}/.xauth* w,
} }

11
apparmor.d/profiles-m-r/pcscd
View file

@ -6,19 +6,26 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/pcscd @{exec_path} = /{usr/,}{s,}bin/pcscd
profile pcscd @{exec_path} { profile pcscd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb> include <abstractions/devices-usb>
network netlink raw, network netlink raw,
ptrace (read) peer=rngd,
ptrace (read) peer=pkcs11-register,
@{exec_path} mr, @{exec_path} mr,
/etc/libccid_Info.plist r, /etc/libccid_Info.plist r,
/etc/reader.conf.d/{,libccidtwin} r, /etc/reader.conf.d/ r,
/etc/reader.conf.d/libccidtwin r,
/etc/reader.conf.d/reader.conf r,
owner @{run}/pcscd/{,pcscd.pid} rw, owner @{run}/pcscd/{,pcscd.pid} rw,
owner @{PROC}/@{pid}/stat r,
include if exists <local/pcscd> include if exists <local/pcscd>
} }

2
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -58,5 +58,7 @@ profile spice-vdagent @{exec_path} {
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
include if exists <local/spice-vdagent> include if exists <local/spice-vdagent>
} }

3
apparmor.d/profiles-s-z/sysctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/sysctl @{exec_path} = /{usr/,}{s,}bin/sysctl
profile sysctl @{exec_path} { profile sysctl @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -16,6 +16,7 @@ profile sysctl @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/sysctl.conf r,
/etc/sysctl.d/{,**} r, /etc/sysctl.d/{,**} r,
/usr/lib/sysctl.d/{,**} r, /usr/lib/sysctl.d/{,**} r,

2
apparmor.d/profiles-s-z/wpa-supplicant
View file

@ -42,6 +42,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
/etc/libnl/{classid,pktloc} r, /etc/libnl/{classid,pktloc} r,
/var/log/wpa_supplicant.log rw,
@{HOME}/.cat_installer/*.pem r, @{HOME}/.cat_installer/*.pem r,
owner @{run}/wpa_supplicant/{,**} rw, owner @{run}/wpa_supplicant/{,**} rw,