From fbd59965313c5cd7aa7ec789d636a3272ac6110b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Feb 2023 19:03:01 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/children/child-systemctl | 2 +- apparmor.d/groups/freedesktop/pipewire | 4 +--- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/network/NetworkManager | 4 ++++ apparmor.d/groups/network/tailscaled | 3 ++- apparmor.d/groups/pacman/pacman | 6 +++--- apparmor.d/groups/systemd/journalctl | 1 + .../groups/ubuntu/software-properties-gtk | 9 +++++++- apparmor.d/groups/ubuntu/ubuntu-advantage | 19 +++++++++++++++-- .../ubuntu/ubuntu-advantage-desktop-daemon | 6 +++++- apparmor.d/groups/ubuntu/update-notifier | 4 +++- apparmor.d/profiles-a-f/apparmor_parser | 4 +++- apparmor.d/profiles-m-r/pcscd | 2 +- apparmor.d/profiles-s-z/steam | 21 ++++++++++++++++++- 14 files changed, 70 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 4293bbe4..c01bb79d 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -29,7 +29,7 @@ profile child-systemctl flags=(attach_disconnected) { network inet stream, network inet6 stream, - dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit + dbus send bus=system path=/org/freedesktop/systemd1{,/Unit} interface=org.freedesktop.systemd[0-9].Manager member=GetUnitFileState, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e58d58b2..2b5894ff 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -75,9 +75,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, /dev/media[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 3ebeddca..a1d336fe 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -99,6 +99,7 @@ profile gnome-software @{exec_path} { @{sys}/module/nvidia/version r, @{PROC}/@{pids}/mounts r, + @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 9b912d10..d756c784 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -35,6 +35,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, + signal (send) set=(term) peer=dnsmasq, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*}, @@ -88,8 +90,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nft rix, /{usr/,}bin/dnsmasq rPx, + /{usr/,}bin/kmod rPx, /{usr/,}bin/resolvconf rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, @{libexec}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 91be1c1f..8d7e0cf5 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -30,8 +30,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/ip rix, /{usr/,}{s,}bin/xtables-nft-multi rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/resolvectl rPx, /{usr/,}bin/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index dfbec753..1d3643dc 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -159,10 +159,10 @@ profile pacman @{exec_path} { /{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-connect-agent rix, - @{HOME}/@{XDG_GPG_DIR}/*.conf r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl, - owner /etc/pacman.d/gnupg/ rw, - owner /etc/pacman.d/gnupg/** rwkl, + @{HOME}/@{XDG_GPG_DIR}/*.conf r, deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index e9efcd57..52724a8c 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -47,6 +47,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, + deny @{user_share_dirs}/gvfs-metadata/* r, deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 26838b92..ba28472e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -18,7 +18,11 @@ profile software-properties-gtk @{exec_path} { include include - dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager} + dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect, @@ -79,5 +83,8 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 204dc38c..65109130 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -23,12 +23,27 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, - /etc/ubuntu-advantage/uaclient.conf r, + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/apt-get rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ps rPx, + /{usr/,}bin/snap rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}lib/apt/apt-helper rix, + /{usr/,}lib/apt/methods/http{,s} rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, + /{usr/,}bin/systemd-detect-virt rPx, + + /etc/ubuntu-advantage/{,**} r, + /var/lib/ubuntu-advantage/{,**} r, owner /tmp/tmp[0-9a-z]*/apt.conf r, + + @{run}/ubuntu-advantage/{,**} rw, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index cd8016de..f824f725 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -19,7 +19,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) member=RequestName peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/com/canonical/UbuntuAdvantage/Manager + dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Service/*} interface=org.freedesktop.DBus.Introspectable member=Introspect, @@ -36,5 +36,9 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) @{exec_path} mr, + /{usr/,}bin/ubuntu-advantage rPx, + + /var/lib/ubuntu-advantage/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 305c7e36..ef9af910 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,7 +31,9 @@ profile update-notifier @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/pkexec rPx, + /{usr/,}bin/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked + /{usr/,}bin/snap rPx, + /{usr/,}bin/software-properties-gtk rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/update-manager rPx, /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 694853bf..2382c271 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -23,10 +23,12 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { /usr/share/apparmor-features/{,**} r, /usr/share/apparmor/{,**} r, + owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r, owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/snapd/apparmor/{,**} r, - + owner /var/snap/lxd/common/lxd/security/apparmor/{,**} r, + owner /tmp/cri-containerd.apparmor.d[0-9]* r, @{sys}/kernel/security/apparmor/{,**} r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index c552664b..3e38c7ee 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -25,7 +25,7 @@ profile pcscd @{exec_path} { owner @{run}/pcscd/{,pcscd.pid} rw, - owner @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 2c82c157..f2effdd1 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -60,7 +60,7 @@ profile steam @{exec_path} { /{usr/,}bin/ldd rix, /{usr/,}bin/ln rix, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/lspci rPx, + /{usr/,}bin/lspci rCx -> lspci, /{usr/,}bin/mkdir rix, /{usr/,}bin/mv rix, /{usr/,}bin/readlink rix, @@ -227,5 +227,24 @@ profile steam @{exec_path} { audit deny /**.steam_exec_test.sh rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile lspci { + include + include + include + + /{usr/,}bin/lspci mr, + + owner @{HOME}/.steam/steam.pipe r, + + @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, + @{sys}/devices/pci[0-9]*/** r, + + owner /dev/shm/ValveIPCSHM_@{uid} rw, + + include if exists + } + include if exists }