From ea746ad8d7c3e0a027ecc05e6a5c2b1c58e2f446 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Apr 2021 14:10:50 +0100 Subject: [PATCH] Minor fixes. --- apparmor.d/groups/desktop/at-spi2-registryd | 2 +- apparmor.d/groups/desktop/dbus-run-session | 4 +++- apparmor.d/groups/gnome/gdm-wayland-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 1 + apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/ssh/ssh | 1 + apparmor.d/groups/ssh/ssh-agent | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/profiles-m-z/polkitd | 3 +++ 10 files changed, 19 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd index 4be51c7b..5426a0a3 100644 --- a/apparmor.d/groups/desktop/at-spi2-registryd +++ b/apparmor.d/groups/desktop/at-spi2-registryd @@ -8,7 +8,7 @@ include @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd @{exec_path} += /usr/{lib,libexec}/at-spi2-registryd -profile at-spi2-registryd @{exec_path} { +profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/desktop/dbus-run-session b/apparmor.d/groups/desktop/dbus-run-session index 6f30e7d9..cb970525 100644 --- a/apparmor.d/groups/desktop/dbus-run-session +++ b/apparmor.d/groups/desktop/dbus-run-session @@ -28,7 +28,9 @@ profile dbus-run-session @{exec_path} { /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, - /dev/tty rw, + # file_inherit + owner /dev/tty rw, + owner /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 01fca301..7e537d35 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -43,5 +43,8 @@ profile gdm-wayland-session @{exec_path} { owner @{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/user rw, + # file_inherit + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e8f36308..c993478b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -80,6 +80,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /dev/null r, /dev/tty rw, + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 58902e91..42dddd60 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -12,6 +12,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -117,8 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, - @{sys}/devices/pci[0-9]*/**/{device,vendor} r, - @{sys}/devices/pci[0-9]*/**/{subsystem_device,subsystem_vendor} r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 2b78621b..58705d19 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -31,6 +31,7 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, + owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/ r, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 70f73bad..db843922 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -12,6 +12,8 @@ profile ssh-agent @{exec_path} { include include + signal (receive) set=term peer=gnome-keyring-daemon, + @{exec_path} mr, owner /tmp/ssh-*/ rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2127362d..89c0a28d 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,7 +10,9 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-coredump profile systemd-coredump @{exec_path} flags=(complain) { include + include include + include capability setpcap, capability setuid, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f8f03925..2017c8a7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -50,7 +50,7 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/systemd/seats/ r, @{run}/systemd/seats/.#seat* rw, - @{run}/systemd/seats/seat0 rw, + @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/inhibit/ r, @{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/profiles-m-z/polkitd b/apparmor.d/profiles-m-z/polkitd index a3f81fe4..075865b4 100644 --- a/apparmor.d/profiles-m-z/polkitd +++ b/apparmor.d/profiles-m-z/polkitd @@ -43,5 +43,8 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/[0-9]* r, + # Silencer + deny /.cache/ rw, + include if exists }