From f2989321ebf12bd84fdb108ba4869719853d227d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:06:06 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/command-not-found | 9 +++++++-- apparmor.d/groups/browsers/firefox | 3 ++- apparmor.d/groups/freedesktop/polkitd | 6 +++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/freedesktop/xdg-email | 4 +++- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 2 +- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 1 + apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gnome-terminal-server | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 6 ++++++ apparmor.d/groups/gnome/gsd-sharing | 4 ++++ apparmor.d/groups/gnome/tracker-extract | 4 ++++ apparmor.d/groups/gvfs/gvfsd | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 1 + apparmor.d/groups/gvfs/gvfsd-metadata | 1 + apparmor.d/groups/gvfs/gvfsd-trash | 1 + apparmor.d/groups/network/mullvad-daemon | 10 +++++++++- apparmor.d/groups/network/tailscaled | 7 +++++-- apparmor.d/groups/pacman/pacman | 3 ++- apparmor.d/groups/ubuntu/check-new-release-gtk | 1 + apparmor.d/groups/ubuntu/livepatch-notification | 1 + apparmor.d/groups/ubuntu/software-properties-dbus | 1 + apparmor.d/groups/ubuntu/update-notifier | 4 ++++ apparmor.d/groups/virt/libvirtd | 14 +++++++++----- apparmor.d/profiles-a-f/blueman | 3 ++- apparmor.d/profiles-g-l/git | 1 + apparmor.d/profiles-g-l/glxinfo | 5 +++-- apparmor.d/profiles-g-l/gtk-update-icon-cache | 6 +++++- apparmor.d/profiles-g-l/lspci | 2 +- apparmor.d/profiles-m-r/mtools | 2 ++ apparmor.d/profiles-s-z/snap | 5 +++-- apparmor.d/profiles-s-z/snap-seccomp | 4 ++-- apparmor.d/profiles-s-z/spice-vdagent | 9 +++++++++ apparmor.d/profiles-s-z/steam | 11 +++++++++-- apparmor.d/profiles-s-z/steam-game | 13 ++++++++++--- 37 files changed, 120 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 0af31a95..27a870fd 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,19 +12,23 @@ include @{exec_path} += /{usr/,}lib/command-not-found profile command-not-found @{exec_path} { include - include - include include + include + include + include @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPx, /var/lib/command-not-found/commands.db rwk, /usr/share/command-not-found/{,**} r, + owner @{PROC}/@{pid}/fd/ r, + # Silencer deny /usr/lib/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f2421d3a..2ae6c053 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -251,10 +251,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index b88b613c..341e0300 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,8 +22,8 @@ profile polkitd @{exec_path} { ptrace (read), - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* - interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -31,7 +31,7 @@ profile polkitd @{exec_path} { peer=(name=org.freedesktop.DBus), dbus (bind) bus=system - name=org.freedesktop.PolicyKit[0-9], + name=org.freedesktop.PolicyKit1, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 32225705..0f116b01 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -49,6 +49,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { # Allowed apps to open /{usr/,}bin/firefox rPx -> firefox, + /{usr/,}bin/nautilus rPx, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index 8fc5ecc7..5de0dd91 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gio rPx, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/gio rPx, + /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/which rix, /{usr/,}bin/xdg-mime rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 04af0cba..d3adb24c 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 8214e4ba..e28c11b0 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4619ca5c..a8789538 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/bwrap rPUx, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, + /{usr/,}bin/software-properties-gtk rPx, /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index c2c118a9..122ac39a 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 93e434a1..f6931ba9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/n[0-9]* r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/hwmon/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, - @{sys}/**/uevent r, @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 20ca500e..10efb895 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} { include signal (send) set=(term hup kill) peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index cf9a4654..152ef7a0 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member=StateChanged, + dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*} + interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager}, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.PrintNotifications, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0973a395..16c4c3e5 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.NetworkManager member=CheckPermissions, + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 979be831..938d6f33 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/mount/utab r, + @{sys}/devices/system/cpu/possible r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} { /dev/media[0-9]* r, /dev/video[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/** r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 18f55c82..01da7aa1 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd profile gvfsd @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index eff61925..9ea20cfa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include include unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index fb46ee85..3d0c1696 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7b2913f1..7cc4cab8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 4f7fe0cc..0b94c533 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" -profile mullvad-daemon @{exec_path} { +profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include @@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ip rix, + + "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*" r, /etc/mullvad-vpn/{,*} r, @@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner /tmp/@{uuid} rw, + owner /tmp/talpid-openvpn-@{uuid} rw, + owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, + /dev/net/tun rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 6025ed12..3bdef0d6 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{,s}bin/tailscaled -profile tailscaled @{exec_path} { +profile tailscaled @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,8 @@ profile tailscaled @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network inet raw, + network inet6 raw, network netlink raw, ptrace (read), @@ -39,8 +41,9 @@ profile tailscaled @{exec_path} { /etc/resolv.conf rw, /etc/resolv.conf.*.tmp rw, - owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, + owner /var/cache/{,**} rw, + owner /var/lib/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 81ba8b56..29684946 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -91,6 +91,7 @@ profile pacman @{exec_path} { /{usr/,}bin/mkinitcpio rPx, /{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacman-key rPx, + /{usr/,}bin/sbctl rPx, /{usr/,}bin/sysctl rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemd-* rPx, @@ -121,7 +122,7 @@ profile pacman @{exec_path} { owner /var/lib/pacman/{,**} rwl, owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw, + owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw, owner /tmp/checkup-db-[0-9]*/db.lck rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 755dcce4..fb560731 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 2b6c6da5..cdbd7e90 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 0bea79d9..97755324 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -42,6 +42,7 @@ profile software-properties-dbus @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner /tmp/[a-z0-9]* rw, + owner /tmp/_[a-z0-9]* rw, owner /tmp/tmp*/{,apt.conf} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 63dec833..09f9f433 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,6 +11,7 @@ profile update-notifier @{exec_path} { include include include + include include include include @@ -18,6 +19,9 @@ profile update-notifier @{exec_path} { include include + dbus receive bus=session path=/org/ayatana/NotificationItem/* + member={GetLayout,GetGroupProperties,GetAll,AboutToShow}, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 37ef9d7a..480b0d7c 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -3,11 +3,13 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Based on Libvirt Apparmor profile, it is largelly restricted from th +# Based on Libvirt Apparmor profile, it is largelly restricted from it. # As upstream profile mostly focus on confining the guests. Not libvirt itself. # It uses a lot of profiles provided by apparmor.d # Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in +# Warning: Such a profile is limited as it gives access to a lot of resources. + abi , include @@ -213,9 +215,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/machine.slice/ rw, @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/route r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/net/dev r, @@ -227,10 +227,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, /dev/dri/ r, /dev/hugepages/{,**} w, - /dev/kvm r, + /dev/kvm rw, /dev/mapper/ r, /dev/mapper/control rw, /dev/net/tun rw, @@ -268,5 +271,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, } + include if exists include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index fc401342..1ee6a8fe 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -29,7 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{b,d}ash rix, + /{usr/,}bin/{b,d}ash rix, + /{usr/,}lib/gio-launch-desktop rix, /{usr/,}bin/blueman-tray rPx, /{usr/,}bin/xdg-open rCx -> open, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index f361e8df..8a9d0c58 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -67,6 +67,7 @@ profile git @{exec_path} { /{usr/,}bin/man rPx, /{usr/,}bin/meld rPUx, /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, + /{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, /usr/share/aurpublish/*.hook rPx, /{usr/,}bin/gpg rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 0241c547..82139919 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,10 +15,10 @@ profile glxinfo @{exec_path} { include include include + include capability sys_admin, - # Needed? - deny capability sys_nice, + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index f0dd86d9..db7feb06 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,6 +22,10 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w, + owner @{user_share_dirs}/** r, + owner @{user_share_dirs}/**/.icon-theme.cache rw, + owner @{user_share_dirs}/**/icon-theme.cache rw, + deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index e3308c76..6bcceaca 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/lspci -profile lspci @{exec_path} { +profile lspci @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 5f7b20c9..862f6f03 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -28,6 +28,8 @@ profile mtools @{exec_path} { owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, + owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 5aaf88e6..1d563721 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -9,9 +9,10 @@ include @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap profile snap @{exec_path} { include - include - include include + include + include + include @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 767c76a4..791d716c 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -22,9 +22,9 @@ profile snap-seccomp @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - deny @{user_share_dirs}/gvfs-metadata/* r, - owner @{PROC}/@{pids}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 17d71d8b..b3e3d27b 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -15,6 +15,15 @@ profile spice-vdagent @{exec_path} { include include + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState, + @{exec_path} mr, /etc/pipewire/client.conf r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index a529e7f3..b365ced0 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -81,6 +81,7 @@ profile steam @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix, @@ -107,6 +108,9 @@ profile steam @{exec_path} { /{usr/,}lib{,32,64}/ r, /etc/ r, /home/ r, + /run/ r, + /usr/bin/ r, + /var/ r, owner @{HOME}/ r, owner @{HOME}/.local/ r, @@ -115,6 +119,8 @@ profile steam @{exec_path} { owner @{HOME}/.steampath rw, owner @{HOME}/.steampid rw, + owner @{user_games_dirs}/{,**} rwkl, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/unity3d/{,**} rwk, @@ -136,10 +142,11 @@ profile steam @{exec_path} { owner /tmp/dumps/ rw, owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw, - owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, + owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/miles_image_* mrw, owner /tmp/runtime-info.txt.* rw, + owner /tmp/sh-thd.* rw, + owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 3ea772b0..a891ab7e 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -25,7 +25,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -108,6 +107,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix, + @{user_games_dirs}/*/* mr, + @{user_games_dirs}/*/**.dll mr, + @{run}/host/usr/bin/ldconfig rix, @{run}/host/usr/lib{,32,64}/**.so* rm, @{run}/host/usr/bin/localedef rix, @@ -136,6 +138,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, + owner @{user_games_dirs}/{,*/} r, + owner @{user_games_dirs}/*/{,**} rwkl, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/unity3d/{,**} rwk, @@ -151,7 +156,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/common/*/ r, owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl, owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r, - owner @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/{,**} rwk, + owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk, owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, @@ -161,6 +166,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{run}/pressure-vessel/{,**} rw, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer owner /dev/shm/#[0-9]* rw, owner /dev/shm/mono.* rw, @@ -206,12 +212,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/overflowuid r, @{PROC}/uptime r, @{PROC}/version r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/gid_map rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/setgroups rw, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r,