From ed1ea18a9edce12c4b03c0977b86875c175258e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 9 Dec 2023 11:28:23 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/ssh/ssh-agent | 1 + .../groups/systemd/systemd-socket-proxyd | 22 +++++++++++++++++++ apparmor.d/profiles-a-f/flatpak | 3 ++- apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/torsocks | 13 +++++++++-- 6 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/systemd/systemd-socket-proxyd diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3ac86c48..368e776a 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -15,6 +15,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9636acb8..0a155f1b 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -25,6 +25,7 @@ profile ssh-agent @{exec_path} { @{bin}/kwalletaskpass rPUx, @{bin}/openbox-session rPx, @{bin}/startkde rPUx, + @{bin}/startxfce4 rPUx, @{bin}/sway rPUx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, diff --git a/apparmor.d/groups/systemd/systemd-socket-proxyd b/apparmor.d/groups/systemd/systemd-socket-proxyd new file mode 100644 index 00000000..ab27636d --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-socket-proxyd @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-socket-proxyd +profile systemd-socket-proxyd @{exec_path} { + include + include + + capability net_admin, + + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 70890775..8554edc9 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -60,7 +60,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_config_dirs}/user-dirs.dirs r, @{user_share_dirs}/flatpak/{,**} r, - owner @{user_share_dirs}/flatpak/{,**} rw, + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/flatpak/{,**} rwl, /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f406d4da..5a0ff0a0 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -104,7 +104,7 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/@{int}-[a-z]* rCx -> motd, + /etc/update-motd.d/* rCx -> motd, # Kernel /etc/kernel/header_postinst.d/ r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index aee5edbe..0b32ffbe 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,17 @@ include @{exec_path} = @{bin}/torsocks profile torsocks @{exec_path} { include + # include - @{exec_path} r, - @{bin}/{,ba,da}sh rix, + capability dac_read_search, + + @{exec_path} rm, + + @{bin}/{,ba,da}sh rix, + @{bin}/* rPUx, + @{bin}/getcap rix, + + /etc/tor/torsocks.conf r, include if exists }