add profiles for applications that create user namespaces

These are profiles for applications that create user namespaces, both the actual policy and unconfined profiles, like it was done in MR 1123. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify these applications instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-03-04 08:24:42 +01:00 · 2024-02-02 10:51:06 -03:00 · 2024-02-02 10:51:06 -03:00 · 6add80d83f
commit 6add80d83f
parent 3e28d0a254
4 changed files with 67 additions and 1 deletions
--- a/profiles/apparmor.d/plasmashell
+++ b/profiles/apparmor.d/plasmashell
@ -0,0 +1,42 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile plasmashell /usr/bin/plasmashell {
+  include <abstractions/dbus-session>
+
+  capability,
+  userns,
+  network,
+  dbus,
+  mount,
+  umount,
+  remount,
+  signal,
+  mqueue,
+  unix,
+  ptrace,
+
+  /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+  /** pux,
+  /{,**} mrwlk,
+
+  profile QtWebEngineProcess {
+    capability,
+    userns,
+    network,
+    dbus,
+    mount,
+    umount,
+    remount,
+    signal,
+    mqueue,
+    unix,
+    ptrace,
+    /** pux,
+    /{,**} mrwlk,
+  }
+
+  # Site-specific additions and overrides.  See local/README for details.
+  include if exists <local/plasmashell>
+}
--- a/profiles/apparmor.d/steam
+++ b/profiles/apparmor.d/steam
@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>

-profile steam /usr/lib/steam/bin_steam.sh flags=(unconfined) {
+profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/surfshark
+++ b/profiles/apparmor.d/surfshark
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile surfshark /opt/Surfshark/surfshark flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/surfshark>
+}
--- a/profiles/apparmor.d/systemd-coredump
+++ b/profiles/apparmor.d/systemd-coredump
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile systemd-coredump /usr/lib/systemd/systemd-coredump flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/systemd-coredump>
+}