From ea366754d7c8e38fabf352fb69dc72d1a8124ee3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Mar 2022 16:05:36 +0000 Subject: [PATCH] Profiles update. --- apparmor.d/abstractions/nvidia.d/complete | 7 ++++ apparmor.d/abstractions/user-read | 14 ++++---- apparmor.d/groups/browsers/chromium-chromium | 2 ++ apparmor.d/groups/desktop/bluetoothd | 2 +- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-session-binary | 6 ++++ apparmor.d/groups/gnome/gnome-shell | 1 + .../groups/gnome/gnome-shell-hotplug-sniffer | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 7 ++-- apparmor.d/profiles-g-l/htop | 1 + apparmor.d/profiles-m-r/pass | 33 ++++++++++++++++++- apparmor.d/profiles-m-r/resolvconf | 4 ++- apparmor.d/profiles-s-z/scrcpy | 2 +- apparmor.d/profiles-s-z/udisksd | 4 +++ apparmor.d/profiles-s-z/xdg-desktop-portal | 3 +- apparmor.d/profiles-s-z/xorg | 4 ++- 16 files changed, 77 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/abstractions/nvidia.d/complete diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete new file mode 100644 index 00000000..aef83c51 --- /dev/null +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 38ff5085..cc648448 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -10,12 +10,12 @@ owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, + owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 667ed0c1..75962664 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -26,6 +26,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -128,6 +129,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{run}/udev/data/* r, diff --git a/apparmor.d/groups/desktop/bluetoothd b/apparmor.d/groups/desktop/bluetoothd index 1aed057a..740731c5 100644 --- a/apparmor.d/groups/desktop/bluetoothd +++ b/apparmor.d/groups/desktop/bluetoothd @@ -38,7 +38,7 @@ profile bluetoothd @{exec_path} { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/platform/**/rfkill/**/name r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, /var/lib/bluetooth/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d8838b94..193fc4e9 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -83,6 +83,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c235:[0-9]* r, @{run}/udev/data/c236:[0-9]* r, + @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/udev/data/n[0-9]* r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 6ab260d2..ec3a97f3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,6 +14,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b5479396..9b87772f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -176,6 +176,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { # file_inherit /dev/tty[0-9]* rw, + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 20a4d902..f72f6053 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -15,6 +15,7 @@ profile gnome-shell-hotplug-sniffer @{exec_path} { /usr/share/mime/mime.cache r, owner @{MOUNTS}/*/ r, + owner @{MOUNTS}/**/ r, owner @{MOUNTS}/** r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cb4f98c1..6c267cb1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-terminal-server profile gnome-terminal-server @{exec_path} { include + include include include include @@ -31,10 +32,12 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner /tmp/#[0-9]* rw, + + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, - /dev/ptmx rw, - owner /dev/pts/[0-9]* rw, + /dev/ptmx rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 32f04165..6f488b4d 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/htop profile htop @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index bdf15ad8..e65eed8d 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -41,7 +41,7 @@ profile pass @{exec_path} { /{usr/,}bin/tty rix, /{usr/,}bin/which rix, - /{usr/,}bin/git rPx, + /{usr/,}bin/git rCx -> git, /{usr/,}bin/gpg{2,} rUx, /{usr/,}bin/vim rCx -> editor, /{usr/,}bin/wl-{copy,paste} rPx, @@ -89,6 +89,37 @@ profile pass @{exec_path} { deny owner @{HOME}/ r, } + profile git { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + /{usr/,}bin/git* mrix, + /{usr/,}@{libexec}/git-core/git* mrix, + + /{usr/,}bin/gpg{2,} rUx, + + /usr/share/git-core/{,**} r, + + owner @{HOME}/.gitconfig r, + owner @{user_config_dirs}/git/{,*} r, + + owner @{HOME}/.password-store/ rw, + owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**, + owner @{user_config_dirs}/password-store/ rw, + owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, + + } + include if exists include if exists } diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index f53da15f..75211986 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -18,14 +18,16 @@ profile resolvconf @{exec_path} { /{usr/,}bin/flock rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/run-parts rix, /{usr/,}bin/sed rix, + /{usr/,}lib/resolvconf/list-records rix, /usr/lib/resolvconf/{,**} r, /etc/resolv.conf rw, - /etc/resolvconf/update.d/libc mr, + /etc/resolvconf/update.d/libc rix, owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/run-lock wk, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 32407c37..36306651 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -18,7 +18,7 @@ profile scrcpy @{exec_path} { @{exec_path} mr, - /{usr/,}bin/adb rix, + /{usr/,}bin/adb rPx, /usr/share/scrcpy/{,*} r, /usr/share/icons/**/scrcpy.png r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index e8188045..286274a2 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -34,7 +34,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/dmidecode rPx, /{usr/,}{s,}bin/dumpe2fs rPx, + /{usr/,}{s,}bin/fsck.fat rPx, /{usr/,}{s,}bin/lvm rPUx, + /{usr/,}{s,}bin/mke2fs rPx, + /{usr/,}{s,}bin/mkfs.btrfs rPx, + /{usr/,}{s,}bin/mkfs.fat rPx, /{usr/,}bin/eject rPx, /{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal index aeb9b24d..7abb3e3f 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal @@ -46,8 +46,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/xorg b/apparmor.d/profiles-s-z/xorg index f5c2b8b5..cfd45274 100644 --- a/apparmor.d/profiles-s-z/xorg +++ b/apparmor.d/profiles-s-z/xorg @@ -65,11 +65,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw, owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw, - /var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, owner /var/log/lightdm/x-*.log* rw, owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm/.local/share/xorg/Xorg.[0-9].log{,.old} rw, + /var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + @{run}/nvidia-xdriver-* rw, @{run}/sddm/{,**} rw, @{run}/lightdm/{,**} rw,