From f9a93ab67e0317e9dd53050da4b1f35d9bec50bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 29 Jun 2024 23:05:45 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/bus/dbus-session | 2 + .../groups/children/child-modprobe-nvidia | 4 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 + apparmor.d/groups/gnome/gnome-session-binary | 50 ++++--------------- apparmor.d/groups/systemd/systemd-hostnamed | 2 + apparmor.d/groups/systemd/systemd-networkd | 7 +-- apparmor.d/groups/virt/cockpit-bridge | 2 + apparmor.d/profiles-a-f/adb | 4 +- apparmor.d/profiles-m-r/mount | 1 - apparmor.d/profiles-m-r/ntfs-3g | 3 +- apparmor.d/profiles-m-r/ollama | 4 +- apparmor.d/profiles-m-r/pam-tmpdir-helper | 2 +- apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/scrcpy | 2 + apparmor.d/profiles-s-z/smplayer | 13 +---- apparmor.d/profiles-s-z/steam | 14 +++--- apparmor.d/profiles-s-z/steam-game-native | 10 ++-- apparmor.d/profiles-s-z/steam-runtime | 2 + 18 files changed, 51 insertions(+), 75 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 38259afc..88266bcb 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -20,6 +20,8 @@ profile dbus-session flags=(attach_disconnected) { include include + network unix stream, + unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), signal (receive) set=(term hup) peer=gdm-session-worker, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 1812463f..afb48573 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -55,6 +55,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { /dev/tty@{int} rw, + deny @{HOME}/.steam/** r, + profile kmod { include include @@ -69,6 +71,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, + deny @{HOME}/.steam/** r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 6a4da425..bfc15989 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -18,6 +18,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include + network unix stream, + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThreadRealtimeWithPID diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 49ed8285..46a1b22d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -111,49 +111,21 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include + include - @{lib}/gio-launch-desktop mr, + @{bin}/env rix, + @{sh_path} r, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - @{sh_path} rix, + @{lib}/gio-launch-desktop mr, - @{bin}/aa-notify rPx, - @{bin}/blueman-applet rPx, - @{bin}/firewall-applet rPx, - @{bin}/gnome-keyring-daemon rPx, - @{bin}/gnome-shell rPx, - @{bin}/gnome-software rPx, - @{bin}/im-launch rPx, - @{bin}/keepassxc rPx, - @{bin}/opensuse-welcome rPx, - @{bin}/parcellite rPUx, - @{bin}/pkcs11-register rPx, - @{bin}/snap rPUx, - @{bin}/snapshot-detect rPUx, - @{bin}/spice-vdagent rPx, - @{bin}/start-pulseaudio-x11 rPx, - @{bin}/ubuntu-report rPx, - @{bin}/update-notifier rPx, - @{bin}/xbrlapi rPx, - @{bin}/xdg-user-dirs-gtk-update rPx, - @{bin}/xdg-user-dirs-update rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx, - @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, - @{lib}/caribou/caribou rPUx, - @{lib}/deja-dup/deja-dup-monitor rPx, - @{lib}/gsd-* rPx, - @{lib}/update-notifier/ubuntu-advantage-notification rPx, - @{lib}/xapps/sn-watcher/* rPUx, - @{thunderbird_path} rPx, - /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, - #aa:exec baloo - #aa:exec evolution-alarm-notify - @{lib}/kdeconnectd rPUx, - @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx, - - /dev/tty@{int} rw, + /dev/tty rw, include if exists include if exists diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index b81b1640..9686f186 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -16,6 +16,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname + network unix stream, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f0f97433..3aece965 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -53,12 +53,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, @{run}/systemd/notify rw, - owner @{run}/systemd/netif/.#state rw, - owner @{run}/systemd/netif/.#state* rw, - owner @{run}/systemd/netif/leases/{,*} rw, - owner @{run}/systemd/netif/links/{,*} rw, - owner @{run}/systemd/netif/lldp/{,*} rw, - owner @{run}/systemd/netif/state rw, + owner @{run}/systemd/netif/** rw, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index ad3eee9f..c4337d77 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -40,6 +40,7 @@ profile cockpit-bridge @{exec_path} { @{lib}/cockpit/cockpit-ssh rPx, /usr/share/cockpit/{,**} r, + /usr/{,local/}share/ r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, @@ -51,6 +52,7 @@ profile cockpit-bridge @{exec_path} { /etc/shells r, owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, + owner @{user_share_dirs}/ r, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index 13863c03..52e2621f 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -9,14 +9,16 @@ include @{exec_path} = @{bin}/adb @{exec_path} += @{lib}/android-sdk/platform-tools/adb -profile adb @{exec_path} { +profile adb @{exec_path} flags=(attach_disconnected) { include + include include include include network inet stream, network inet6 stream, + network netlink raw, signal (receive) set=(kill) peer=scrcpy, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index f122b8f2..c9db3c08 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -49,7 +49,6 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, @{MOUNTS}/*/*/ rw, - /media/cdrom[0-9]/ r, # Mount iso/img files owner @{user_img_dirs}/{,**} rwk, diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index e5ae871b..a7a580c4 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/{low,}ntfs{,-3g} @{exec_path} += @{bin}/mount.{low,}ntfs{,-3g} -profile ntfs-3g @{exec_path} { +profile ntfs-3g @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 483e9786..e7ff1db5 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -47,4 +47,6 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, include if exists -} \ No newline at end of file +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 983ca7d4..5c86a1b2 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -15,7 +15,7 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner @{tmp}/user/ rw, + owner /tmp/user/ rw, owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8fe649ff..08dcaaea 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -137,7 +137,7 @@ profile run-parts @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/$anacron* rw, - owner @{tmp}/file@{rand6} ra, + owner @{tmp}/file@{rand6} rw, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 8903fe28..f1af8647 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -34,6 +34,8 @@ profile scrcpy @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{PROC}/@{pid}/cmdline r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 54b4080f..28065ac2 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -12,22 +12,13 @@ profile smplayer @{exec_path} { include include include - include + include include - include - include - include - include + include include - include include include include - include - include - - # Needed for hardware decoding - ##include signal (send) set=(term, kill), signal (receive) set=(term, kill), diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index ecd8d743..d091c4b5 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -84,14 +84,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib_dirs}/** mr, @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, - @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/fossilize_replay rpx, # steam-fossilize + @{lib_dirs}/gameoverlayui rpx, # steam-gameoverlayui @{lib_dirs}/reaper rpx, # steam-runtime @{lib_dirs}/steam* rix, @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, - @{share_dirs}/linux{32,64}/steamerrorreporter rpx, + @{share_dirs}/linux{32,64}/steamerrorreporter rpx, # steamerrorreporter @{runtime_dirs}/*entry-point rix, @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, @@ -101,7 +101,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, # steam-launcher @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, @@ -125,14 +125,10 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/dbus/machine-id r, / r, - @{bin}/ r, @{lib}/ r, - /etc/ r, - /home/ r, - /usr/ r, /usr/local/ r, /usr/local/lib/ r, @@ -350,6 +346,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/*/ r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/tty/tty@{int}/active r, @@ -365,6 +362,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/ r, /dev/hidraw@{int} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native index 9453076e..2817006f 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -19,20 +19,20 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) { include network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, network unix stream, signal receive peer=steam, - @{exec_path} rmix, + @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{app_dirs}/** mr, - @{lib_dirs}/** mr, + @{app_dirs}/** mr, + @{lib_dirs}/** mr, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index a8ff7874..6fde5418 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -22,6 +22,8 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + network inet6 stream, network unix stream, @{exec_path} mr,