From fa4d065f5286711585e61d4459727d91f46d8c6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 31 Mar 2023 18:47:32 +0100 Subject: [PATCH] feat(profile): minor profile update. See: #137 --- apparmor.d/groups/browsers/brave | 4 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/profiles-a-f/bluetoothd | 2 +- apparmor.d/profiles-a-f/dnscrypt-proxy | 56 ++++++++----------- apparmor.d/profiles-g-l/login | 12 ++-- apparmor.d/profiles-s-z/udisksd | 2 + 7 files changed, 36 insertions(+), 42 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index d716a84a..530ad8c6 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -7,13 +7,13 @@ abi , include -@{chromium_name} = brave{,-beta,-dev} +@{chromium_name} = brave{,-beta,-dev,-bin} @{chromium_domain} = com.brave.Brave @{chromium_lib_dirs} = /opt/brave.com/@{chromium_name} /opt/brave-bin/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{chromium_cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{exec_path} = @{chromium_lib_dirs}/@{chromium_name} +@{exec_path} = /{usr/,}bin/@{chromium_name} @{chromium_lib_dirs}/@{chromium_name} profile brave @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c127a1f5..0d1a6f77 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -160,6 +160,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.* r, + owner @{HOME}/.icons/{,**} r, owner @{HOME}/@{XDG_DATA_HOME}/ r, owner /tmp/runtime-cb/xauth_?????? r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 2bb5bfa7..a173f800 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -18,6 +18,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, + signal (receive) set=(term hup) peer=login, unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 6f58c212..037b1723 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -33,7 +33,7 @@ profile bluetoothd @{exec_path} { @{run}/udev/data/+hid:* r, @{sys}/devices/pci[0-9]*/**/rfkill[0-9]*/name r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bluetooth/**/{uevent,name} r, + @{sys}/devices/pci[0-9]*/**/bluetooth/**/{uevent,name} r, @{sys}/devices/platform/**/rfkill/**/name r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 881386d6..a4c54d5c 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,16 +13,11 @@ profile dnscrypt-proxy @{exec_path} { include include - # To bind to the 53 tcp/udp port (when systemd's sockets aren't used). + capability net_admin, capability net_bind_service, - - # Needed for privilege drop (to run as _dnscrypt-proxy:nogroup). capability setgid, capability setuid, - # Needed? - capability net_admin, - network inet dgram, network inet6 dgram, network inet stream, @@ -30,47 +26,39 @@ profile dnscrypt-proxy @{exec_path} { @{exec_path} mrix, - # dnscrypt-proxy config files /etc/dnscrypt-proxy/ r, - /etc/dnscrypt-proxy/dnscrypt-proxy.toml r, - /etc/dnscrypt-proxy/whitelist.txt r, /etc/dnscrypt-proxy/blacklist.txt r, /etc/dnscrypt-proxy/cloaking-rules.txt r, + /etc/dnscrypt-proxy/dnscrypt-proxy.toml r, /etc/dnscrypt-proxy/forwarding-rules.txt r, + /etc/dnscrypt-proxy/localhost.pem r, + /etc/dnscrypt-proxy/whitelist.txt r, - # This is for the built-in DoH server / Firefox ESNI (Encrypted ClientHello) - # See: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH - owner /etc/dnscrypt-proxy/localhost.pem r, - - # For downloading the relays.md and public-resolvers.md files (for offline use, which can fix - # connectivity issues). - owner /etc/dnscrypt-proxy/sf-*.tmp rw, - owner /etc/dnscrypt-proxy/relays.md rw, - owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, - owner /var/cache/dnscrypt-proxy/sf-*.tmp rw, - owner /var/cache/dnscrypt-proxy/relays.md rw, - owner /var/cache/dnscrypt-proxy/relays.md.minisig rw, - owner /var/cache/dnscrypt-proxy/public-resolvers.md rw, - owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw, - - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/kernel/hostname r, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - # Logs + owner /etc/dnscrypt-proxy/relays.md rw, + owner /etc/dnscrypt-proxy/relays.md.minisig rw, + owner /etc/dnscrypt-proxy/sf-*.tmp rw, + + /var/cache/private/dnscrypt-proxy/{,**} r, + /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, + /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, + /var/log/dnscrypt-proxy/ r, /var/log/dnscrypt-proxy/*.log w, /var/log/private/dnscrypt-proxy/ rw, /var/log/private/dnscrypt-proxy/*.log w, - /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, - /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, + owner /var/cache/dnscrypt-proxy/public-resolvers.md rw, + owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw, + owner /var/cache/dnscrypt-proxy/relays.md rw, + owner /var/cache/dnscrypt-proxy/relays.md.minisig rw, + owner /var/cache/dnscrypt-proxy/sf-*.tmp rw, - # Needed? - deny /etc/ssl/certs/java/ r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/net/core/somaxconn r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index cdc7f469..9db8457c 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -17,6 +17,7 @@ profile login @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, + capability dac_override, capability dac_read_search, capability fowner, capability fsetid, @@ -29,7 +30,7 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup,term), + signal (send) set=(hup term), ptrace read, @@ -54,16 +55,17 @@ profile login @{exec_path} flags=(attach_disconnected) { /var/log/btmp{,.[0-9]*} r, + owner @{user_cache_dirs}/motd.legal-displayed rw, + @{run}/dbus/system_bus_socket rw, @{run}/faillock/* rwk, @{run}/motd.dynamic{,.new} rw, @{run}/systemd/sessions/*.ref rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, - - owner @{user_cache_dirs}/motd.legal-displayed rw, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index fa70ef94..3456e9c9 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -101,6 +101,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/sfdisk rPx, /{usr/,}{s,}bin/sgdisk rPx, /{usr/,}bin/eject rPx, + /{usr/,}bin/mount.exfat-fuse rPUx, /{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/ntfsfix rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, @@ -146,6 +147,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /dev/loop-control rw, /dev/mapper/ r, /dev/mapper/control rw, + /dev/null.[0-9]* rw, include if exists }