From ee83e1c33cc81c7ba557a945f52a993064ecef63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Dec 2022 19:14:56 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 4 +++- apparmor.d/profiles-a-f/blkid | 2 ++ apparmor.d/profiles-a-f/evince | 2 ++ apparmor.d/profiles-g-l/lvm | 7 +++++-- apparmor.d/profiles-m-r/mke2fs | 2 ++ apparmor.d/profiles-s-z/snap | 3 +++ apparmor.d/profiles-s-z/snap-update-ns | 10 +++++++++- apparmor.d/profiles-s-z/snapd | 12 ++++++++---- apparmor.d/profiles-s-z/udisksd | 4 ++-- apparmor.d/profiles-s-z/virt-manager | 4 ++-- 11 files changed, 39 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1eac870d..6b76865e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -158,11 +158,11 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/.* r, owner @{HOME}/@{XDG_DATA_HOME}/ r, + @{run}/mount/utab r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, - @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 7fd5d4db..6054c5b2 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -222,9 +222,11 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, + owner @{user_share_dirs}/applications/defaults.list r, owner @{user_share_dirs}/applications/mimeinfo.cache r, - owner @{user_share_dirs}/session_migration-ubuntu r, owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, + owner @{user_share_dirs}/mime/mime.cache r, + owner @{user_share_dirs}/session_migration-ubuntu r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 10511182..390d8687 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -13,6 +13,8 @@ profile blkid @{exec_path} { include include + capability sys_rawio, + @{exec_path} mr, /etc/blkid.conf r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index de2ea096..76cdf32d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -23,6 +23,8 @@ profile evince @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gio-launch-desktop rPx, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/djvu/{,**} r, /usr/share/evince/{,**} r, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 8f386fae..dc220c35 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -13,13 +13,15 @@ profile lvm @{exec_path} { include include + capability mknod, + capability net_admin, capability sys_admin, capability sys_nice, - capability net_admin, + capability sys_rawio, @{exec_path} rm, - @{etc_rw}/lvm/** r, + @{etc_rw}/lvm/** rwkl, @{run}/lvm/** rwk, @{run}/lock/lvm/* rwk, @@ -33,6 +35,7 @@ profile lvm @{exec_path} { @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + /dev/**/ r, /dev/mapper/control rw, include if exists diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index c25377a3..cda680dc 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -12,6 +12,8 @@ profile mke2fs @{exec_path} { include include + capability sys_rawio, + @{exec_path} mr, # To check for badblocks diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 151332d9..f7d5da9c 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -23,6 +23,8 @@ profile snap @{exec_path} { @{exec_path} mrix, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /snap/{,**} rw, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx, @@ -37,6 +39,7 @@ profile snap @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/snapd-session-agent.socket rw, owner @{run}/user/@{uid}/systemd/notify rw, @{run}/snapd.socket rw, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 34bf3a41..90d9edd3 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -10,18 +10,26 @@ include profile snap-update-ns @{exec_path} { include + capability dac_override, capability sys_admin, capability sys_chroot, + mount -> /snap/**/, + mount -> /usr/**/, + mount /snap/**/ -> /tmp/.snap/**, + umount /snap/**/, + @{exec_path} mr, /var/lib/snapd/mount/{,*} r, + /tmp/.snap/{,**} rwk, + @{run}/snapd/lock/*.lock rwk, @{run}/snapd/ns/{,**} rw, @{sys}/fs/cgroup/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 2cbc6882..f6616f98 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -94,12 +94,13 @@ profile snapd @{exec_path} { /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} r, - /etc/systemd/user/snap* rw, + /etc/systemd/user/**/*snap* rw, + /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, /snap/{,**} rw, - /var/cache/snapd/{,**} rwk, - /var/lib/snapd/{,**} rwk, + /var/cache/snapd/{,**} rwlk, + /var/lib/snapd/{,**} rwlk, /var/snap/{,**} rw, /var/cache/apparmor/{,*/} r, @@ -119,7 +120,8 @@ profile snapd @{exec_path} { owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, - owner @{run}/user/{,@{uid}/} r, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/snapd-session-agent.socket rw, owner @{run}/user/snap.*/{,**} rw, @{run}/snapd*.socket rw, @@ -136,6 +138,8 @@ profile snapd @{exec_path} { @{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/stat r, @{PROC}/cgroups r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 207a6fb2..5ac4ac51 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -37,8 +37,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, - mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, # Allow mounting od sd cards mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 6e44efbe..9dec5c19 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -68,8 +68,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/virt-manager/ rw, - owner @{user_cache_dirs}/virt-manager/** rw, + owner @{user_cache_dirs}/virt-manager/{,**} rw, # For disk images @{MOUNTS}/ r, @@ -87,6 +86,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_vm_dirs}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/mount/utab r, @{run}/udev/data/c51[0-9]:[0-9]* r,