Merge 5240dcbdd1 into 026fbf7552

See #596

apparmor.d/abstractions/app/editor

@@ -12,7 +12,7 @@
   @{sh_path}                  rix,
   @{bin}/nvim                 mix,
   @{bin}/sensible-editor       mr,
-  @{bin}/vim{,.*}             mix,
+  @{bin}/vim{,.*}             mrix,
   @{bin}/which{,.debianutils}  ix,
 
   /usr/share/nvim/{,**} r,

apparmor.d/abstractions/app/firefox

@@ -92,7 +92,7 @@
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwk,
 
-        /tmp/ r,
+        /tmp/ rw,
         /var/tmp/ r,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,

apparmor.d/abstractions/audio-client

@@ -11,6 +11,7 @@
   /usr/share/openal/hrtf/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
   /usr/share/pipewire/client.conf r,
+  /usr/share/pipewire/jack.conf r,
   /usr/share/sounds/{,**} r,
 
   /etc/alsa/conf.d/{,**} r,
@@ -60,6 +61,8 @@
         /dev/shm/ r,
   owner /dev/shm/pulse-shm-@{int} rw,
 
+  /dev/snd/controlC@{int} r,
+
   include if exists <abstractions/audio-client.d>
 
 # vim:syntax=apparmor

apparmor.d/groups/gpg/scdaemon

@@ -16,6 +16,7 @@ profile scdaemon @{exec_path} {
   network netlink raw,
 
   signal (send) peer=gpg-agent,
+  signal send set=usr2 peer=unconfined,
 
   @{exec_path} mr,
 

apparmor.d/groups/kde/kscreen_backend_launcher

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher
 profile kscreen_backend_launcher @{exec_path} {
   include <abstractions/base>
+  include <abstractions/lxqt>
   include <abstractions/kde-strict>
 
   @{exec_path} mr,

apparmor.d/groups/kde/sddm

@@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   ptrace (trace) peer=@{profile_name},
 
   signal (receive) set=(hup) peer=@{p_systemd},
+  signal (send) set=(kill, term) peer=lxqt-session,
   signal (send) set=(kill, term) peer=startplasma,
   signal (send) set=(kill, term) peer=xorg,
   signal (send) set=(kill, term) peer=xsetroot,
@@ -94,6 +95,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/kwalletd{5,6}        rPx,
   @{bin}/kwin_wayland         rPx,
   @{bin}/sddm-greeter{,-qt6}  rPx,
+  @{bin}/startlxqt            rPx,
   @{bin}/startplasma-wayland  rPx,
   @{bin}/startplasma-x11      rPx,
   @{bin}/sway                rPUx,

apparmor.d/groups/lxqt/lxqt-panel

@@ -0,0 +1,92 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-panel
+profile lxqt-panel @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/dconf-write>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network packet dgram,
+
+  @{exec_path} mr,
+
+  @{bin}/exo-open rix,
+  @{lib}/gio-launch-desktop  rix,
+  @{bin}/nm-applet rPx,
+  @{bin}/nm-connection-editor rPx,
+  @{bin}/ControlPanel rPx,
+
+  @{bin}/sudo rCx -> root,
+
+  @{lib}/lxqt-panel/*.so mr, #  LXQT-Plugins
+  @{lib}/lxqt-config/*.so mr, # LXQT-Plugins
+
+  /usr/share/desktop-directories/{,**} r,
+  /usr/share/lxqt/{,**} r,
+
+  /etc/fstab r,
+  /etc/udev/udev.conf r,
+  /etc/machine-id r,
+  /etc/xdg/lxqt-qtxdg.conf r,
+  /etc/xdg/menus/**.menu r,
+  /etc/xdg/menus/applications-merged/ r,
+  /etc/xdg/ui/uistandards.rc r,
+
+  /var/lib/dbus/machine-id r,
+
+  owner @{HOME}/Desktop/*.desktop rw,
+  owner @{HOME}/Desktop/#@{int} rw,
+  owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int},
+
+  owner @{user_config_dirs}/menus/*.menu rw,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+  owner @{user_config_dirs}/share/desktop-directories/*.directory r,
+  owner @{user_config_dirs}/share/gvfs-metadata/{,*} r,
+  owner @{user_config_dirs}/lxqt/#@{int} rw,
+  owner @{user_config_dirs}/lxqt/panel.conf rw,
+  owner @{user_config_dirs}/lxqt/panel.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/pulse/{,**} rwk,
+
+  @{run}/udev/data/* r,
+
+  @{sys}/class/i2c-adapter/ r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
+
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/net/dev r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/tty rw,
+  /dev/tty@{int} rw,
+  /dev/pts/@{int} rw,
+  /dev/snd/controlC@{int} rw,
+
+  profile root {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    @{bin}/lsblk rPx,
+
+    include if exists <local/lxqt-panel_root>
+  }
+
+  include if exists <local/lxqt-panel>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/lxqt/lxqt-session

@@ -0,0 +1,98 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-session
+profile lxqt-session @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/bus-accessibility>
+  include <abstractions/dconf>
+  include <abstractions/lxqt>
+  include <abstractions/qt5-shader-cache>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  signal (send),
+  signal (receive) set=(kill, term) peer=startlxqt,
+  signal (receive) set=(kill, term) peer=sddm,
+
+  ptrace (read),
+
+  @{exec_path} mr,
+
+  @{sh_path}                          rix,
+  @{bin}/sed                          rix,
+  @{bin}/readlink                     rix,
+  @{bin}/dirname                      rix,
+  @{bin}/system-config-printer-applet rPx,
+  @{bin}/dbus-update-activation-environment rCx -> dbus,
+  @{bin}/systemctl                    rCx -> systemctl,
+
+  @{bin}/pavucontrol                  rPx,
+  @{lib}/geoclue-2.0/demos/agent      rPx,
+  @{bin}/nm-connection-editor         rPx,
+  @{bin}/nm-applet                    rPx,
+  @{bin}/openbox                      rix,
+  @{bin}/dconf-editor                 rPx,
+  @{bin}/setxkbmap                    rix,
+  @{bin}/start-pulseaudio-x11         rPx,
+  @{bin}/xrdb                         rPx,
+  @{bin}/xdg-user-dirs-update         rPx,
+
+  /usr/share/                         r,
+  /usr/share/mime/                    r,
+  /usr/share/cursors/                 r,
+  /usr/share/backintime/common/*      r,
+  /usr/share/desktop-directories/*    r,
+  /usr/share/system-config-printer/*  r,
+
+  /etc/xdg/                           r,
+  /etc/xdg/autostart/                 r,
+  /etc/xdg/autostart/*.desktop        r,
+  /etc/xdg/menus/lxqt-*               r,
+  /etc/xdg/openbox/*                  r,
+  /etc/udev/udev.conf                 r,
+
+  owner @{user_config_dirs}/autostart/ r,
+  owner @{user_config_dirs}/autostart/*.desktop r,
+  owner @{user_cache_dirs}/openbox/   rw,
+  owner @{user_cache_dirs}/openbox/sessions/          rw,
+  owner @{user_cache_dirs}/openbox/openbox.log        rwk,
+  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
+  owner @{user_config_dirs}/openbox/rc.xml            r,
+
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
+  @{PROC}/                             r,
+  @{PROC}/uptime                       r,
+  @{PROC}/@{pid}/stat                  r,
+  owner @{PROC}/@{pid}/stat            r,
+
+  /dev/tty                             rw,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <local/lxqt-session_systemctl>
+  }
+  profile dbus {
+    include <abstractions/base>
+    include <abstractions/bus-session>
+
+    @{bin}/dbus-update-activation-environment mr,
+
+    include if exists <local/lxqt-session_dbus>
+  }
+
+  include if exists <local/lxqt-session>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/pacman/mkinitcpio

@@ -83,10 +83,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Manage /boot
   / r,
-  /{boot,efi}/ r,
+  /boot/ r,
   /{boot,efi}/EFI/{,**} rw,
-  /{boot,efi}/initramfs-*.img* rw,
+  /boot/initramfs-*.img* rw,
-  /{boot,efi}/vmlinuz-* r,
+  /boot/vmlinuz-* r,
 
   /usr/share/systemd/bootctl/** r,
 

apparmor.d/groups/pacman/pacman

@@ -39,7 +39,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
 
   ptrace read,
 
-  signal send set=usr1 peer=gvfsd,
+  signal send,
   signal receive set=winch peer=makepkg//sudo,
 
   @{exec_path} mrix,

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -37,7 +37,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   / r,
   /boot/ r,
-  /boot/efi/boot/boot*.efi rw,
+  /{boot,efi}/EFI/boot/boot*.efi rw,
   /boot/initramfs-*-fallback.img rw,
   /boot/initramfs-*.img rw,
   /boot/vmlinuz-* rw,

apparmor.d/groups/systemd/systemd-localed

@@ -24,11 +24,12 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   /usr/share/systemd/*-map r,
   /usr/share/X11/xkb/{,**} r,
 
+  /etc/.#locale.conf@{hex16} rw,
   /etc/.#vconsole.conf* rw,
   /etc/default/.#locale* rw,
   /etc/default/keyboard r,
   /etc/default/locale rw,
-  /etc/locale.conf r,
+  /etc/locale.conf rw,
   /etc/vconsole.conf rw,
   /etc/X11/xorg.conf.d/ r,
   /etc/X11/xorg.conf.d/.#*.confd* rw,

apparmor.d/profiles-a-f/chsh

@@ -10,26 +10,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/chsh
 profile chsh @{exec_path} {
   include <abstractions/base>
-  include <abstractions/wutmp>
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/ dir.
   capability chown,
   capability fsetid,
-
-  # gpasswd is a SETUID binary
   capability setuid,
 
   network netlink raw,
 
   @{exec_path} mr,
 
-  owner @{PROC}/@{pid}/loginuid r,
-
   /etc/shells r,
 
   /etc/passwd rw,
@@ -44,6 +37,8 @@ profile chsh @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
+  owner @{PROC}/@{pid}/loginuid r,
+
   include if exists <local/chsh>
 }
 

apparmor.d/profiles-m-r/mutt

@@ -62,6 +62,7 @@ profile mutt @{exec_path} {
   owner @{HOME}/.mutthistory rwk,
   owner @{HOME}/.muttrc* r,
   owner @{HOME}/.signature r,  # Mutt signature file
+  owner @{HOME}/ r,
 
   # User mbox
   # Could be a file or dir depending on mbox_type variable
@@ -91,11 +92,14 @@ profile mutt @{exec_path} {
     @{bin}/w3m     mrix,
     @{bin}/lynx    mrix,
 
-    owner @{HOME}/.w3m/* rw,
+    owner @{HOME}/.w3m/{,**} rw,
     owner @{user_mail_dirs}/{,**} r,
     owner @{user_mail_dirs}/tmp/{,**} rw,
     owner /{var/,}tmp/mutt* rw,
 
+    owner /tmp/w3m-@{rand6} rw,
+    owner /tmp/w3m-@{rand6}/{,**} rw,
+
     include if exists <local/mutt_html-renderer>
   }
 

apparmor.d/profiles-m-r/nvtop

@@ -31,7 +31,16 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/bus/ r,
+  @{sys}/devices/@{pci}/ r,
+  @{sys}/devices/@{pci}/current_link_{speed,width} r,
   @{sys}/devices/@{pci}/enable r,
+  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r,
+  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r,
+  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r,
+  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r,
+  @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r,
+  @{sys}/devices/@{pci}/max_link_{speed,width} r,
+  @{sys}/devices/@{pci}/pcie_bw r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
 
   @{PROC}/ r,

apparmor.d/profiles-m-r/ouch

@@ -15,6 +15,7 @@ profile ouch @{exec_path} {
   @{exec_path} mr,
 
   owner @{HOME}/.tmp@{rand6}/{,**} rw,
+  owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw,
 
   @{sys}/fs/cgroup/user.slice/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,

apparmor.d/profiles-m-r/pinentry-curses

@@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} {
 
   /usr/share/terminfo/** r,
 
+  owner /dev/tty@{int} r,
+
   include if exists <local/pinentry-curses>
 }
 

apparmor.d/profiles-m-r/pinentry-gtk

@@ -7,9 +7,10 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/pinentry-gtk-2
+@{exec_path} = @{bin}/pinentry-gtk{,-2}
-profile pinentry-gtk-2 @{exec_path} {
+profile pinentry-gtk @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/gtk>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
@@ -17,11 +18,13 @@ profile pinentry-gtk-2 @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/share/gtk-2.0/gtkrc r,
+  /usr/share/gtk-@{int}.@{int}/{,**} r,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
 
-  include if exists <local/pinentry-gtk-2>
+  owner /dev/tty@{int} r,
+
+  include if exists <local/pinentry-gtk>
 }
 
 # vim:syntax=apparmor

apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox

@@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
 
   capability sys_admin,
   capability sys_chroot,
+  capability dac_override,
 
   @{exec_path} mr,
 
@@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
   @{PROC}/@{pid}/oom_adj w,
   @{PROC}/@{pid}/oom_score_adj w,
 
+  # Silencer
+  deny /dev/pts/@{int} rw, # file_inherit
+
   include if exists <local/signal-desktop-chrome-sandbox>
 }
 

apparmor.d/profiles-s-z/useradd

@@ -53,9 +53,9 @@ profile useradd @{exec_path} {
 
   # To create user dirs and copy files from /etc/skel/ to them
   @{HOME}/ rw,
-  @{HOME}/.* w,
+  @{HOME}/.** w,
   /var/lib/*/{,*} rw,
-  /etc/skel/{,.*} r,
+  /etc/skel/{,.**} r,
 
   profile pam_tally2 {
     include <abstractions/base>

apparmor.d/profiles-s-z/v2ray

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/v2ray
+profile v2ray @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+
+  network inet dgram,
+  network inet stream,
+  network inet raw,
+  network inet6 dgram,
+  network inet6 raw,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/v2ray/{,*} r,
+  /usr/share/v2ray/**.dat r,
+
+  @{PROC}/sys/net/core/somaxconn r,
+
+  include if exists <local/v2ray>
+}
+
+# vim:syntax=apparmor

apparmor.d/profiles-s-z/w3m

@@ -36,7 +36,7 @@ profile w3m @{exec_path} {
 
   owner @{user_config_dirs}/w3m/{,**} rw,
 
-  owner @{tmp}/@{rand6}/{,**} rw,
+  owner @{tmp}/w3m-@{rand6}/{,**} rw,
 
   include if exists <local/w3m>
 }

apparmor.d/profiles-s-z/xray

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xray
+profile xray @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+
+  network inet dgram,
+  network inet stream,
+  network inet raw,
+  network inet6 dgram,
+  network inet6 raw,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/xray/{,*} r,
+  /usr/share/xray/**.dat r,
+
+  @{PROC}/sys/net/core/somaxconn r,
+
+  include if exists <local/xray>
+}
+
+# vim:syntax=apparmor

tests/bats/chsh.bats

@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+load common
+
+setup_file() {
+    aa_setup
+}
+
+# bats test_tags=chsh
+@test "chsh: [l]ist available shells" {
+    chsh --list-shells || true
+    aa_check
+}
+
+# bats test_tags=chsh
+@test "chsh: Set a specific login [s]hell for the current user" {
+    chsh --shell /usr/bin/bash
+    aa_check
+}
+
+# bats test_tags=chsh
+@test "chsh: Set a login [s]hell for a specific user" {
+    sudo chsh --shell /usr/bin/sh root
+    aa_check
+}

tests/bats/lsusb.bats

@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+load common
+
+setup_file() {
+    aa_setup
+}
+
+# bats test_tags=lsusb
+@test "lsusb: List all the USB devices available" {
+    lsusb || true
+    aa_check
+}
+
+# bats test_tags=lsusb
+@test "lsusb: List the USB hierarchy as a tree" {
+    lsusb -t || true
+    aa_check
+}
+
+# bats test_tags=lsusb
+@test "lsusb: List verbose information about USB devices" {
+    lsusb --verbose || true
+    aa_check
+}

tests/bats/useradd.bats

@@ -0,0 +1,49 @@
+#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+load common
+
+setup_file() {
+    aa_setup
+}
+
+# bats test_tags=useradd
+@test "useradd: Create a new user with the specified shell" {
+    sudo useradd --shell /bin/bash --create-home user2
+    aa_check
+}
+
+# bats test_tags=useradd
+@test "useradd: Create a new user with the specified user ID" {
+    sudo useradd --uid 3000 user3
+    aa_check
+}
+
+# bats test_tags=useradd
+@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" {
+    sudo useradd --groups adm user4
+    aa_check
+}
+
+
+# bats test_tags=useradd
+@test "useradd: Create a new system user without the home directory" {
+    sudo useradd --system sys2
+    aa_check
+}
+
+# bats test_tags=userdel
+@test "userdel: Remove a user" {
+    sudo userdel user3
+    sudo userdel user4
+    sudo userdel sys2
+    aa_check
+}
+
+# bats test_tags=userdel
+@test "userdel: Remove a user along with the home directory and mail spool" {
+    sudo userdel --remove user2
+    aa_check
+}