From ff16790421a01e40efdea166628dcbf01bda470c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Jun 2024 18:37:12 +0100 Subject: [PATCH] feat(abs): general update. --- apparmor.d/abstractions/app-launcher-root | 4 ++-- apparmor.d/abstractions/app-launcher-user | 23 +++++++++++------------ apparmor.d/abstractions/app/firefox | 2 ++ apparmor.d/abstractions/common/app | 4 +++- apparmor.d/abstractions/mesa.d/complete | 3 ++- apparmor.d/abstractions/vulkan-strict | 2 +- 6 files changed, 21 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 680eb568..69bcf900 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,8 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /usr/local/{s,}bin/* rPUx, + @{bin}/* PUx, + /usr/local/{s,}bin/* PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 73f4e0b2..4a6c795d 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,19 +3,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /opt/*/** rPUx, - /usr/share/*/* rPUx, - /usr/local/bin/* rPUx, + @{bin}/* PUx, + /opt/*/** PUx, + /usr/share/*/* PUx, + /usr/local/bin/* PUx, - @{bin}/chromium rPx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{chromium_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, - @{thunderbird_path} rPx, - @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, + @{brave_path} Px, + @{chrome_path} Px, + @{chromium_path} Px, + @{firefox_path} Px, + @{opera_path} Px, + @{thunderbird_path} Px, + @{offices_path} PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 13829466..ba0c7f3e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -41,6 +41,8 @@ network inet6 stream, network netlink raw, + ptrace trace peer=@{profile_name}, + signal (send) set=(term, kill) peer=@{profile_name}-*, @{sh_path} rix, diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 59d93c8f..36e4e29d 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Common rules for applications sandboxed using bwrap. @@ -40,8 +41,9 @@ @{bin}/ r, @{lib}/ r, /usr/local/bin/ r, - owner /@{uuid}/ w, owner /_@{int}_/ w, + owner /@{uuid}/ w, + owner /var/cache/ldconfig/{,**} rw, # Full access to user's data / r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 436ddc96..1a77e3e7 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -5,7 +5,8 @@ # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 70d5711d..ee56ef44 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,7 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r,