From faab4928ed223960bd5e38a2fb84b8bf0f2b32c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Jun 2024 16:49:06 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/freedesktop/fc-cache | 4 +- apparmor.d/groups/freedesktop/xdg-mime | 1 + apparmor.d/groups/freedesktop/xdg-screensaver | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/pacman | 1 + apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/acpid | 2 +- apparmor.d/profiles-a-f/dmesg | 7 +- apparmor.d/profiles-a-f/f3fix | 16 +- apparmor.d/profiles-a-f/fatresize | 15 +- apparmor.d/profiles-a-f/findmnt | 1 + apparmor.d/profiles-g-l/gpartedbin | 35 ++-- apparmor.d/profiles-g-l/gpodder | 74 ++----- apparmor.d/profiles-g-l/hw-probe | 195 +++++++++--------- apparmor.d/profiles-g-l/hwinfo | 74 +++---- apparmor.d/profiles-g-l/libreoffice | 1 + apparmor.d/profiles-m-r/parted | 18 +- apparmor.d/profiles-m-r/partprobe | 21 +- apparmor.d/profiles-m-r/pass-import | 4 +- apparmor.d/profiles-m-r/pkexec | 7 +- apparmor.d/profiles-m-r/protonmail-bridge | 2 + apparmor.d/profiles-s-z/usb-devices | 14 +- 23 files changed, 213 insertions(+), 286 deletions(-) diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index affeb182..a3e5beeb 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -7,7 +7,9 @@ abi , include -@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} + +@{exec_path} = @{bin_dirs}/fc-cache{,-32,-v*} profile fc-cache @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index df733b16..4ea8970b 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -18,6 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, + @{bin}/cat rix, @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index 9b655a40..353bb7b1 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -32,7 +32,7 @@ profile xdg-screensaver @{exec_path} { @{bin}/xset rPx, @{bin}/hostname rix, - /dev/dri/card[0-9] rw, + /dev/dri/card@{int} rw, owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index f22cde87..2eda9bb0 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 1a3a6ec4..4446ad03 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 7207c714..5a873f18 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -146,6 +146,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { # Silencer, deny @{HOME}/ r, + deny @{HOME}/**/ r, deny /tmp/ r, profile gpg { diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 32428f2b..96be2491 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -117,6 +117,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ip rix, + @{bin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/tc rix, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 95eb98c6..e994edb9 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -18,7 +18,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{ba,da,}sh rix, + @{sh_path} rix, @{bin}/logger rix, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn, diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 85943afa..346a91c8 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -12,8 +12,8 @@ profile dmesg @{exec_path} { include include - capability syslog, capability dac_read_search, + capability syslog, @{exec_path} mr, @@ -28,8 +28,11 @@ profile dmesg @{exec_path} { /dev/kmsg r, - deny /{usr/,}local/bin/ r, deny @{bin}/{,*/} r, + deny /{usr/,}local/{,s}bin/ r, + deny /var/lib/flatpak/exports/bin/ r, + deny @{HOME}/.go/bin/ r, + deny @{user_bin_dirs}/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 307e3270..75d11148 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -12,28 +12,20 @@ profile f3fix @{exec_path} { include include - # To remove the following errors: - # Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 261aea0e..71fc917f 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -12,27 +12,20 @@ profile fatresize @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKFLSBUF) = -1 EACCES (Permission denied) capability sys_admin, - - # Needed? (##FIXME##) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/dmidecode rPx, + @{bin}/udevadm rCx -> udevadm, - @{bin}/udevadm rCx -> udevadm, - - owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, - + owner @{PROC}/@{pid}/mounts r, profile udevadm { include diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 663e4025..4aef829c 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -14,6 +14,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include capability dac_read_search, + capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index dc3b1fe1..65f6bbc1 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,30 +7,26 @@ abi , include -@{exec_path} = @{bin}/gpartedbin -@{exec_path} += @{lib}/gpartedbin -@{exec_path} += @{lib}/gparted/gpartedbin +@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} { include include + include include include - include - include - include capability dac_read_search, capability ipc_lock, capability sys_admin, capability sys_rawio, - ptrace (read), + ptrace read, - signal (send) peer=mke2fs, + signal send peer=mke2fs, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/blkid rPx, @{bin}/dmidecode rPx, @@ -84,29 +80,21 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/control rw, - profile mount { include + include capability sys_admin, - mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, + mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, - mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, + mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @{bin}/mount mr, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/dev r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/{start,size} r, - - /dev/{s,v}d[a-z]* r, - /dev/{s,v}d[a-z]*[0-9]* r, - + include if exists } profile umount { @@ -128,6 +116,7 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, + include if exists } profile udevadm { diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 60fe931f..c945d59c 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -10,14 +10,12 @@ include @{exec_path} = @{bin}/gpodder profile gpodder @{exec_path} { include - include - include + include include - include - include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,64 +30,30 @@ profile gpodder @{exec_path} { @{sh_path} rix, @{bin}/uname rix, - owner @{HOME}/ r, - owner @{HOME}/gPodder/ rw, - owner @{HOME}/gPodder/** rwk, - - /usr/share/gpodder/{,**} r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - owner /var/tmp/etilqs_@{hex} rw, - - /etc/mime.types r, - - /usr/share/*/*.desktop r, - - @{bin}/xdg-settings rPUx, - - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open, # A/V players @{bin}/smplayer rPUx, @{bin}/vlc rPUx, @{bin}/mpv rPUx, - # Open in a web browser - @{lib}/firefox/firefox rPUx, + /usr/share/gpodder/{,**} r, + + /etc/fstab r, + /etc/mime.types r, + + owner @{HOME}/ r, + owner @{HOME}/gPodder/ rw, + owner @{HOME}/gPodder/** rwk, + + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index be591613..c9aa1469 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -8,9 +8,10 @@ abi , include @{exec_path} = @{bin}/hw-probe -profile hw-probe @{exec_path} { +profile hw-probe @{exec_path} flags=(attach_disconnected) { include include + include capability sys_admin, @@ -20,111 +21,134 @@ profile hw-probe @{exec_path} { @{exec_path} rm, @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/dd rix, - @{bin}/efibootmgr rix, - @{bin}/efivar rix, - @{bin}/md5sum rix, - @{bin}/pwd rix, - @{bin}/sleep rix, - @{bin}/tar rix, - @{bin}/uname rix, - - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/dpkg rPx -> child-dpkg, - - @{bin}/acpi rPx, - @{bin}/amixer rPx, - @{bin}/aplay rPx, - @{bin}/biosdecode rPx, - @{bin}/cpuid rPx, - @{bin}/cpupower rPx, - @{bin}/df rPx, - @{bin}/dkms rPx, - @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, - @{bin}/edid-decode rPx, - @{bin}/fdisk rPx, - @{bin}/glxgears rPx, - @{bin}/glxinfo rPx, - @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, - @{bin}/i2cdetect rPx, - @{bin}/inxi rPx, - @{bin}/lsblk rPx, - @{bin}/lscpu rPx, - @{bin}/lspci rPx, - @{bin}/lsusb rPx, - @{bin}/memtester rPx, - @{bin}/rfkill rPx, - @{bin}/sensors rPx, - @{bin}/smartctl rPx, - @{bin}/upower rPx, - @{bin}/uptime rPx, - @{bin}/usb-devices rPx, - @{bin}/xdpyinfo rPx, - @{bin}/xinput rPx, - @{bin}/xrandr rPx, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/dd rix, + @{bin}/efibootmgr rix, + @{bin}/efivar rix, + @{bin}/find rix, + @{bin}/md5sum rix, + @{bin}/pwd rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/tar rix, + @{bin}/uname rix, + @{bin}/acpi rPx, + @{bin}/amixer rPx, + @{bin}/aplay rPx, + @{bin}/biosdecode rPx, + @{bin}/cpuid rPx, + @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, + @{bin}/df rPx, + @{bin}/dkms rPx, + @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/edid-decode rPx, @{bin}/ethtool rCx -> netconfig, - @{bin}/find rCx -> find, + @{bin}/fdisk rPx, + @{bin}/glxgears rPx, + @{bin}/glxinfo rPx, + @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, + @{bin}/i2cdetect rPx, @{bin}/ifconfig rCx -> netconfig, + @{bin}/inxi rPx, @{bin}/iw rCx -> netconfig, @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsblk rPx, + @{bin}/lscpu rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/memtester rPx, + @{bin}/nmcli rPx, + @{bin}/pacman rCx -> pacman, + @{bin}/rfkill rPx, + @{bin}/rpm rCx -> rpm, + @{bin}/sensors rPx, + @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, - - /usr/share/X11/xorg.conf.d/{,*.conf} r, + @{bin}/upower rPx, + @{bin}/uptime rPx, + @{bin}/usb-devices rPx, + @{bin}/xdpyinfo rPx, + @{bin}/xinput rPx, + @{bin}/xrandr rPx, /etc/modprobe.d/{,*.conf} r, - /etc/X11/xorg.conf.d/{,*.conf} r, - /var/log/Xorg.[0-9].log{,.old} r, + owner @{HOME}/HW_PROBE/{,**} rw, - owner /root/HW_PROBE/{,**} rw, - - owner @{tmp}/*/ rw, + audit owner @{tmp}/*/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - - @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/**/power_supply/*/uevent r, - + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, + @{PROC}/modules r, @{PROC}/scsi/scsi r, - profile find { + /dev/{,**} r, + + profile pacman flags=(attach_disconnected) { include - include + include + + @{bin}/pacman mr, + + @{bin}/gpg rPx -> pacman//gpg, + @{bin}/gpgconf rPx -> pacman//gpg, + @{bin}/gpgsm rPx -> pacman//gpg, + + /etc/pacman.conf r, + /etc/pacman.d/{,**} r, + + /var/lib/pacman/{,**} r, + + include if exists + } + + profile rpm flags=(attach_disconnected) { + include + include capability dac_read_search, - @{bin}/find mr, + @{bin}/rpm mr, - /root/ r, + /var/ r, + /var/lib/ r, + /var/lib/rpm/ r, + /var/lib/rpm/rpmdb.sqlite rk, + /var/lib/rpm/rpmdb.sqlite-shm rwk, + /var/lib/rpm/rpmdb.sqlite-wal rw, - /dev/{,**} r, - - include if exists + include if exists } - profile journalctl { + profile journalctl flags=(attach_disconnected) { include @{bin}/journalctl mr, @@ -133,18 +157,18 @@ profile hw-probe @{exec_path} { /etc/machine-id r, @{run}/log/ rw, - /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex32}/ rw, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/stat r, include if exists } - profile killall { + profile killall flags=(attach_disconnected) { include capability sys_ptrace, @@ -155,8 +179,6 @@ profile hw-probe @{exec_path} { @{bin}/killall mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, @@ -170,22 +192,7 @@ profile hw-probe @{exec_path} { include if exists } - profile kmod { - include - - @{bin}/kmod mr, - - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, - - @{PROC}/cmdline r, - @{PROC}/modules r, - - include if exists - } - - profile netconfig { + profile netconfig flags=(attach_disconnected) { include # Not needed @@ -210,7 +217,7 @@ profile hw-probe @{exec_path} { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 23cb006c..b8c46b96 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -12,19 +12,10 @@ profile hwinfo @{exec_path} { include include - # Without the sys_admin CAP, some information, for instance the reserved I/O port address range - # in the /proc/ioports, will be hidden. - capability sys_admin, - - # For the kernel log entries to be shown in the output - capability syslog, - - # To remove the following errors: - # eth0: socket failed: Operation not permitted - capability net_raw, - - # Needed when passed disk related options (--block, --partition, --floppy) - capability sys_rawio, + capability net_raw, # Needed for network related options + capability sys_admin, # Needed for /proc/ioports + capability sys_rawio, # Needed for disk related options + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, @@ -36,58 +27,61 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, + @{bin}/acpidump rPUx, @{bin}/dmraid rPUx, - @{PROC}/version r, - @{PROC}/cmdline r, - @{PROC}/dma r, - @{PROC}/interrupts r, - @{PROC}/modules r, - @{PROC}/tty/driver/serial r, - @{PROC}/ioports r, - @{PROC}/bus/input/devices r, - @{PROC}/partitions r, - @{PROC}/driver/nvram r, - @{PROC}/sys/dev/cdrom/info r, + /usr/share/hwinfo/{,**} r, - /dev/mem r, - /dev/nvram r, - /dev/psaux r, - /dev/console rw, - /dev/ttyS@{int} r, - /dev/fb@{int} r, + /var/lib/hardware/udi/{,**} r, + + owner @{tmp}/hwinfo*.txt rw, @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci_bus}/** r, - @{sys}/devices/**/input/**/dev r, + @{sys}/devices/@{pci}/** r, @{sys}/devices/**/{modalias,uevent} r, + @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/edd/{,**} r, - /var/lib/hardware/udi/ r, - - # For a log file - owner @{tmp}/hwinfo*.txt rw, + @{PROC}/bus/input/devices r, + @{PROC}/cmdline r, + @{PROC}/dma r, + @{PROC}/driver/nvram r, + @{PROC}/interrupts r, + @{PROC}/ioports r, + @{PROC}/modules r, + @{PROC}/partitions r, + @{PROC}/sys/dev/cdrom/info r, + @{PROC}/tty/driver/serial r, + @{PROC}/version r, + /dev/console rw, + /dev/fb@{int} r, + /dev/mem r, + /dev/nvram r, + /dev/psaux r, + /dev/ttyS@{int} r, profile kmod { include + include @{bin}/kmod mr, /etc/modprobe.d/{,*.conf} r, - @{PROC}/cmdline r, - - # file_inherit - /dev/ttyS@{int} r, owner @{tmp}/hwinfo*.txt rw, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{PROC}/cmdline r, + @{PROC}/modules r, + + include if exists } profile udevadm { diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index f9dc7646..c035517c 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/libreoffice/program/soffice profile libreoffice @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 2b02eb39..9408674f 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -12,40 +12,26 @@ profile parted @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. capability sys_admin, - - # Needed? (#FIXME#) capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - - @{bin}/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, - # Image files owner @{user_img_dirs}/{,**} rwk, @{PROC}/devices r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, - /dev/mapper/ r, - /dev/mapper/control rw, - profile udevadm { include include diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 3138c13e..9e384c66 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -12,34 +12,21 @@ profile partprobe @{exec_path} { include include - # To remove the following errors: - # device-mapper: version ioctl on failed: Permission denied - # Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version). capability sys_admin, - - # To remove the following errors: - # kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required - # privilege. capability sys_rawio, - # Needed? - ptrace (read), + ptrace read, @{exec_path} mr, @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, + @{bin}/dmidecode rPx, - @{bin}/dmidecode rPx, - - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, @{PROC}/devices r, - - /dev/mapper/ r, - /dev/mapper/control rw, - + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, profile udevadm { include diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index ec77d7ca..655804cc 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/pimport profile pass-import @{exec_path} { include - include + include include + include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 334531ec..923d955a 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -37,12 +37,11 @@ profile pkexec @{exec_path} { # Apps to be run via pkexec @{bin}/* rPUx, + @{lib}/{,gvfs/}gvfsd-admin rPx, @{lib}/cc-remote-login-helper rPx, - @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#) - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, + #aa:exec polkit-agent-helper @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, @@ -59,7 +58,7 @@ profile pkexec @{exec_path} { owner @{HOME}/.xsession-errors w, # Silencer -deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 8d892055..3d3878c3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -41,6 +41,8 @@ profile protonmail-bridge @{exec_path} { owner @{share_dirs}/ rw, owner @{share_dirs}/** rwlk -> @{share_dirs}/**, + owner @{tmp}/@{uuid}.txt w, + owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 881e35c4..188c6ec6 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -13,17 +13,19 @@ profile usb-devices @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, - @{exec_path} r, @{sh_path} rix, - - @{bin}/cat rix, - @{bin}/cut rix, @{bin}/{,e}grep rix, @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, @{bin}/readlink rix, + @{bin}/sort rix, # For shell pwd /root/ r,