diff --git a/apparmor.d/abstractions/systemctl b/apparmor.d/abstractions/systemctl index a6ffa5ae..9863982c 100644 --- a/apparmor.d/abstractions/systemctl +++ b/apparmor.d/abstractions/systemctl @@ -12,8 +12,12 @@ owner @{run}/systemd/private rw, - @{PROC}/@{pid}/comm r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, include if exists diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index eecf6273..253a8271 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -221,27 +221,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile systemctl { include - include + include capability net_admin, capability sys_resource, - ptrace (read), - - @{bin}/systemctl mr, - - @{bin}/systemd-tty-ask-password-agent rix, + @{bin}/systemd-tty-ask-password-agent rPx, owner @{run}/systemd/ask-password-block/{,*} rw, owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/private rw, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6027e278..fc3e1963 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -23,6 +23,8 @@ profile command-not-found @{exec_path} { @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, + @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + /var/lib/command-not-found/commands.db rwk, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 969699a3..c9d1243f 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -29,8 +29,9 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dbus-broker-launch rPUx, + @{bin}/dbus-broker-launch rix, @{bin}/dbus-daemon rix, + @{bin}/dbus-broker rix, @{lib}/at-spi2-registryd rPx, /usr/share/dbus-1/accessibility-services/ r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index a83bda98..c9f674db 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -38,6 +38,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner /tmp/#@{int} rw, owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 51bf690d..68359291 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -88,19 +88,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { profile systemctl { include + include capability mknod, capability net_admin, network netlink raw, - ptrace (read), - - @{bin}/systemctl mr, - - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - /dev/net/tun rw, include if exists diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 21deeb7a..c982f9d5 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -89,11 +89,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Can copy any program to the initframs /{usr/,}{local/,}{s,}bin/ r, - @{bin}/[a-z0-9]* mr, + @{bin}/* mr, + @{bin}/*/ r, @{lib}/ r, @{lib}/plymouth/plymouthd-* mr, @{lib}/systemd/{,**} mr, - @{lib}/udev/[a-z0-9]* mr, + @{lib}/udev/* mr, # Manage /boot / r, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 1247ef1c..90309ee6 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -64,7 +64,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/pacman.d/{,**} r, /etc/pacman.d/gnupg/** rwkl, - /var/lib/pacman/local/{,**} r, + /var/lib/pacman/{,**} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 6273dee5..8bf9676e 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-userdbd -profile systemd-userdbd @{exec_path} flags=(attach_disconnected) { +profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a8d94f60..a959a5f4 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -52,7 +52,7 @@ profile update-notifier @{exec_path} { @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-manager rPx, @{lib}/ubuntu-release-upgrader/check-new-release-gtk rPx, @{lib}/update-notifier/apt_check.py rix, @@ -84,5 +84,18 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + profile systemctl { + include + include + include + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index 4ecdb871..c543283a 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -46,10 +46,8 @@ profile torbrowser-wrapper @{exec_path} { profile systemctl { include - include + include - @{bin}/systemctl mr, - /etc/machine-id r, /{run,var}/log/journal/ r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 9f825c82..85b87d2f 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -25,6 +25,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} rm, @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, @{bin}/as rix, @{bin}/cat rix, @{bin}/cp rix, @@ -36,6 +38,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/head rix, + @{bin}/id rPx, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ln rix, @@ -49,19 +52,20 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/pwd rix, + @{bin}/readelf rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sleep rix, + @{bin}/sort rix, @{bin}/strip rix, @{bin}/uname rix, + @{bin}/uniq rix, + @{bin}/update-secureboot-policy rPUx, @{bin}/wc rix, @{bin}/xargs rix, @{bin}/zstd rix, - @{bin}/{,e,f}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{int}*/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index e6e7d744..c2106a36 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -17,22 +17,20 @@ profile hw-probe @{exec_path} { network inet dgram, network inet6 dgram, - @{exec_path} r, + @{exec_path} rm, @{bin}/perl r, - @{bin}/pwd rix, - @{bin}/{,e}grep rix, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, - @{bin}/sleep rix, - @{bin}/md5sum rix, - @{bin}/uname rix, - @{bin}/dd rix, - @{bin}/tar rix, - - @{bin}/efivar rix, @{bin}/efibootmgr rix, + @{bin}/efivar rix, + @{bin}/md5sum rix, + @{bin}/pwd rix, + @{bin}/sleep rix, + @{bin}/tar rix, + @{bin}/uname rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/dpkg rPx -> child-dpkg, @@ -82,20 +80,21 @@ profile hw-probe @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, - @{bin}/systemd-analyze rCx -> systemd-analyze, + @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, + /usr/share/X11/xorg.conf.d/{,*.conf} r, + + /etc/modprobe.d/{,*.conf} r, + /etc/X11/xorg.conf.d/{,*.conf} r, + + /var/log/Xorg.[0-9].log{,.old} r, + owner /root/HW_PROBE/{,**} rw, owner /tmp/*/ rw, owner /tmp/*/cpu_perf rw, - /var/log/Xorg.[0-9].log{,.old} r, - /etc/X11/xorg.conf.d/{,*.conf} r, - /usr/share/X11/xorg.conf.d/{,*.conf} r, - - /etc/modprobe.d/{,*.conf} r, - @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @@ -106,11 +105,10 @@ profile hw-probe @{exec_path} { @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{PROC}/scsi/scsi r, - @{PROC}/ioports r, - @{PROC}/interrupts r, @{PROC}/bus/input/devices r, - + @{PROC}/interrupts r, + @{PROC}/ioports r, + @{PROC}/scsi/scsi r, profile find { include @@ -120,10 +118,11 @@ profile hw-probe @{exec_path} { @{bin}/find mr, - /dev/{,**} r, - /root/ r, + /dev/{,**} r, + + include if exists } profile journalctl { @@ -131,6 +130,9 @@ profile hw-probe @{exec_path} { @{bin}/journalctl mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + @{run}/log/ rw, /{run,var}/log/journal/ rw, /{run,var}/log/journal/@{md5}/ rw, @@ -140,18 +142,7 @@ profile hw-probe @{exec_path} { owner @{PROC}/@{pid}/stat r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - } - - profile systemd-analyze { - include - - @{bin}/systemd-analyze mr, - - owner @{PROC}/@{pid}/stat r, - + include if exists } profile killall { @@ -159,17 +150,18 @@ profile hw-probe @{exec_path} { capability sys_ptrace, - signal (send) set=(int, term, kill), - ptrace (read), + signal (send) set=(int, term, kill), + @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied - @{PROC}/ r, - @{PROC}/@{pids}/stat r, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + include if exists } profile udevadm { @@ -179,18 +171,19 @@ profile hw-probe @{exec_path} { /etc/udev/udev.conf r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - + @{run}/udev/data/* r, + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, + + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/stat r, include if exists } @@ -200,13 +193,13 @@ profile hw-probe @{exec_path} { @{bin}/kmod mr, - @{PROC}/cmdline r, - @{PROC}/modules r, - @{sys}/module/*/ r, @{sys}/module/*/{coresize,refcnt} r, @{sys}/module/*/holders/ r, + @{PROC}/cmdline r, + @{PROC}/modules r, + include if exists } diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 0330a123..92a5eb13 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -28,6 +28,7 @@ profile protonmail-bridge @{exec_path} { owner /var/tmp/etilqs_@{hex} rw, + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 990eefa4..267fdb82 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -14,10 +14,6 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - # file_inherit - owner @{HOME}/.xsession-errors w, - owner /tmp/mktexlsr.* rw, - /dev/tty@{int} rw, deny network, diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd new file mode 100644 index 00000000..2fd5956f --- /dev/null +++ b/apparmor.d/profiles-s-z/uuidd @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/uuidd +profile uuidd @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 79a40e40..0915f23e 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -118,10 +118,10 @@ profile vlc @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/shm/#@{int} rw, - /dev/tty r, - owner /dev/tty@{int} rw, /dev/snd/ r, + /dev/tty r, /dev/video@{int} rw, + owner /dev/tty@{int} rw, # Silencer deny @{lib}/@{multiarch}/vlc/{,**} w,