From 599ed6464cb7287109e99b58855e843af16d4a34 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Thu, 2 Jun 2022 19:27:15 +0300 Subject: [PATCH 1/6] Ubuntu 22.04, second batch --- apparmor.d/groups/apps/vlc | 96 ++++++++++++++++++- apparmor.d/groups/freedesktop/polkitd | 20 ++++ .../groups/ubuntu/package-system-locked | 6 +- apparmor.d/profiles-m-r/pkexec | 12 +++ 4 files changed, 128 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index eb065a9bd..fffbd401a 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -70,6 +70,13 @@ profile vlc @{exec_path} { include include include + include + include + include + include if exists + +# capability sys_ptrace, +# ptrace (read), signal (receive) set=(term, kill) peer=anyremote//*, @@ -94,9 +101,6 @@ profile vlc @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # VLC files /usr/share/vlc/{,**} r, @@ -104,7 +108,7 @@ profile vlc @{exec_path} { owner @{HOME}/ r, owner @{user_config_dirs}/vlc/ rw, owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], - owner @{user_share_dirs}/vlc/{,*} rw, + owner @{user_share_dirs}/vlc/{,**} rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -119,7 +123,9 @@ profile vlc @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pids}/net/if_inet6 r, deny @{PROC}/sys/kernel/random/boot_id r, # Udev enumeration @@ -147,6 +153,84 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, + # DBus + dbus send + bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"), + + dbus send + bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"), + + dbus receive + bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"), + + dbus send + bus="session" path="/ScreenSaver" interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"), + + dbus receive + bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"), + + dbus (send receive) + bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Player" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Playlists" peer=(name=":*"), + +# dbus send +# bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"), + + dbus send + bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"), + + dbus bind + bus="session" name="org.kde.StatusNotifierItem-*", + + dbus bind + bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}", + + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, + owner @{run}/user/*/dconf/user rw, profile xdg-screensaver { include @@ -169,6 +253,8 @@ profile vlc @{exec_path} { /dev/dri/card[0-9]* rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 289496ba3..735532d1e 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -16,6 +16,7 @@ profile polkitd @{exec_path} { capability setuid, capability setgid, capability sys_ptrace, + capability sys_nice, audit deny capability net_admin, ptrace (read), @@ -53,9 +54,28 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.Machine rw, # Silencer deny /.cache/ rw, + # DBus + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus receive + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"), + + dbus bind + bus="system" name="org.freedesktop.PolicyKit1", + + @{run}/dbus/system_bus_socket rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index d307f0eb4..7f29301c8 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -12,6 +12,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability syslog, + capability sys_ptrace, ptrace (read), @@ -20,6 +21,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/fuser rix, + network inet dgram, + network inet6 dgram, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, @{PROC}/ r, @@ -28,4 +32,4 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { @{PROC}/swaps r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b754183e7..2c5932f4b 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -53,5 +53,17 @@ profile pkexec @{exec_path} flags=(complain) { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"), + include if exists } From 2bea426d278cf935bff3e5df767d5c132e799ec9 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 3 Jun 2022 23:00:08 +0300 Subject: [PATCH 2/6] polishing --- apparmor.d/groups/apps/vlc | 1 + apparmor.d/groups/freedesktop/polkit-agent-helper | 13 ++++++++++++- apparmor.d/groups/freedesktop/polkitd | 9 +++++---- apparmor.d/profiles-m-r/pkexec | 6 +++--- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index fffbd401a..4cabe6247 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -118,6 +118,7 @@ profile vlc @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, + /dev/snd/ r, /dev/shm/#[0-9]*[0-9] rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4e9e67fe8..4285ad4de 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -35,7 +35,18 @@ profile polkit-agent-helper @{exec_path} { owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"), include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 735532d1e..cef1ed600 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -53,8 +53,6 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/systemd/userdb/io.systemd.Machine rw, # Silencer deny /.cache/ rw, @@ -67,10 +65,13 @@ profile polkitd @{exec_path} { bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"), dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"), + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"), dbus bind bus="system" name="org.freedesktop.PolicyKit1", diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 2c5932f4b..9033252a4 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -10,9 +10,9 @@ include profile pkexec @{exec_path} flags=(complain) { include include - include - include include + include + include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -53,7 +53,7 @@ profile pkexec @{exec_path} flags=(complain) { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # DBus + # DBus stricter @{run}/dbus/system_bus_socket rw, dbus send From a333a77cb54304bf86b19b70543147ebe950b779 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 5 Jun 2022 15:36:10 +0300 Subject: [PATCH 3/6] polishing --- apparmor.d/groups/apps/vlc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index 4cabe6247..dd843800d 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -197,11 +197,8 @@ profile vlc @{exec_path} { dbus (send receive) bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), - dbus send - bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Player" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Playlists" peer=(name=":*"), + dbus (send receive) + bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.*" peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # dbus send # bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"), From 355d958e2688f3a0a41d74a2dd7e2901ee3ebb57 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Thu, 18 Aug 2022 18:22:56 +0300 Subject: [PATCH 4/6] update --- apparmor.d/groups/apps/vlc | 194 +++++++++++------- .../groups/freedesktop/polkit-agent-helper | 23 +-- apparmor.d/groups/freedesktop/polkitd | 70 ++++--- .../groups/ubuntu/package-system-locked | 11 +- apparmor.d/profiles-m-r/pkexec | 64 +++--- 5 files changed, 206 insertions(+), 156 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index dd843800d..9ebee31d2 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -71,9 +71,9 @@ profile vlc @{exec_path} { include include include - include + include + include include - include if exists # capability sys_ptrace, # ptrace (read), @@ -86,6 +86,120 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + dbus (send) bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member=NotificationClosed + peer=(name=:*), + + dbus (send) bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member={Get,RegisterStatusNotifierItem} + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=Activate + peer=(name=:*), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*), + + dbus (send) bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus (receive) bus=session path=/MenuBar + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} + peer=(name=:*), + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + peer=(name="{org.freedesktop.DBus,:*}"), # all members + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.* + peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members + +# dbus (send) bus=system path=/ +# interface=org.freedesktop.DBus.Peer +# member=Ping, +# peer=(name="org.freedesktop.Avahi"), + + dbus (send) bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus), + + dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), + + dbus (bind) bus=session + name=org.kde.StatusNotifierItem-*, + + dbus (bind) bus=session + name=org.mpris.MediaPlayer2.vlc{,.instance*}, + @{exec_path} mrix, # Which media files VLC should be able to open @@ -154,82 +268,6 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, - # DBus - dbus send - bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"), - - dbus send - bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"), - - dbus send - bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"), - - dbus receive - bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"), - - dbus send - bus="session" path="/ScreenSaver" interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"), - - dbus receive - bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"), - - dbus (send receive) - bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus (send receive) - bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.*" peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), - -# dbus send -# bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"), - - dbus send - bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"), - - dbus receive - bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"), - - dbus receive - bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"), - - dbus send - bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"), - - dbus bind - bus="session" name="org.kde.StatusNotifierItem-*", - - dbus bind - bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}", - - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, - owner @{run}/user/*/dconf/user rw, - profile xdg-screensaver { include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 4285ad4de..32d5b102a 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include @@ -28,6 +29,16 @@ profile polkit-agent-helper @{exec_path} { signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=AuthenticationAgentResponse2 + peer=(name=:*), + @{exec_path} mr, # file_inherit @@ -36,17 +47,5 @@ profile polkit-agent-helper @{exec_path} { @{run}/faillock/[a-zA-z0-9]* rwk, - # DBus - @{run}/dbus/system_bus_socket rw, - - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"), - include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index cef1ed600..b743426b0 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,25 +11,44 @@ include @{exec_path} += @{libexec}/polkitd profile polkitd @{exec_path} { include + include include - capability setuid, capability setgid, - capability sys_ptrace, + capability setuid, capability sys_nice, + capability sys_ptrace, audit deny capability net_admin, ptrace (read), - @{exec_path} mr, + dbus (send) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName} + peer=(name=org.freedesktop.DBus), - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]{,/**} + interface=org.freedesktop.PolicyKit[0-9]{,.**} + peer=(name="{org.freedesktop.DBus,:*}"), # all members + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/gnome/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + peer=(name=:*), # all members + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent,AuthenticationAgentResponse2} + peer=(name=:*), + + dbus (bind) bus=system + name=org.freedesktop.PolicyKit[0-9], + + @{exec_path} mr, /etc/machine-id r, @@ -54,29 +73,16 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + # Silencer deny /.cache/ rw, - # DBus - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"), - - dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"), - - dbus send - bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"), - - dbus receive - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"), - - dbus bind - bus="system" name="org.freedesktop.PolicyKit1", - - @{run}/dbus/system_bus_socket rw, - include if exists } diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7f29301c8..5ad67ae78 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -11,25 +11,26 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, - capability syslog, capability sys_ptrace, + capability syslog, ptrace (read), + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/fuser rix, - network inet dgram, - network inet6 dgram, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/stat r, @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, @{PROC}/swaps r, include if exists -} +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 9033252a4..9d8baf1e4 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,29 +12,53 @@ profile pkexec @{exec_path} flags=(complain) { include include include + include include include signal (send) set=(term, kill) peer=polkit-agent-helper, - capability sys_ptrace, capability audit_write, capability dac_read_search, - - # gdbus - capability setgid, - # gmain - capability setuid, - - # Needed? - deny capability sys_nice, + capability setgid, # gdbus + capability setuid, # gmain + capability sys_ptrace, + audit deny capability sys_nice, ptrace (read), network netlink raw, + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={EnumerateActions,CheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent} + peer=(name=:*), + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/Authority + interface=org.freedesktop.PolicyKit[0-9]*.Authority + member=Changed + peer=(name=:*), + + dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9]*.AuthenticationAgent + member=BeginAuthentication + peer=(name=:*), + @{exec_path} mr, + # Apps to be run via pkexec + /{usr/,}{s,}bin/* rPUx, + @{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#) + @{libexec}/polkit-agent-helper-[0-9] rPx, + @{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-gtk rPx, + /etc/shells r, /etc/environment r, /etc/default/locale r, @@ -42,28 +67,9 @@ profile pkexec @{exec_path} flags=(complain) { @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, - # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/update-notifier/package-system-locked rPx, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # DBus stricter - @{run}/dbus/system_bus_socket rw, - - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"), - - dbus send - bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"), - include if exists } From 43a366cca330fd5b8ba2129885158079c2b06ac7 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 21 Aug 2022 21:23:05 +0000 Subject: [PATCH 5/6] Update polkitd --- apparmor.d/groups/freedesktop/polkitd | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index d153b6bab..b88b613ca 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,29 +22,14 @@ profile polkitd @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members + dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName} peer=(name=org.freedesktop.DBus), - dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]{,/**} - interface=org.freedesktop.PolicyKit[0-9]{,.**} - peer=(name="{org.freedesktop.DBus,:*}"), # all members - - dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus (send) bus=system path=/org/gnome/PolicyKit[0-9]/AuthenticationAgent - interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent - peer=(name=:*), # all members - - dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent,AuthenticationAgentResponse2} - peer=(name=:*), - dbus (bind) bus=system name=org.freedesktop.PolicyKit[0-9], From bea1aab15ac4b1150a52b5b3f2d4564879c0af24 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 21 Aug 2022 21:24:20 +0000 Subject: [PATCH 6/6] Update pkexec --- apparmor.d/profiles-m-r/pkexec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 02fef93e0..9136dc223 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -52,10 +52,10 @@ profile pkexec @{exec_path} flags=(complain) { @{exec_path} mr, # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - @{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#) - @{libexec}/polkit-agent-helper-[0-9] rPx, - @{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}{s,}bin/* rPUx, + /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) + /{usr/,}lib/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx,