felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update apparmor profiles

Browse source 
Adpated to the apparmor.d structure.

Signed-off-by: Mikhail Morfikov <mmorfikov@gmail.com>
This commit is contained in:
Mikhail Morfikov 2021-04-03 12:03:57 +02:00 committed by Alexandre Pujol
parent 19521569ce
commit 046443a702
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
35 changed files with 798 additions and 185 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View file

@ -32,6 +32,10 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,

32
apparmor.d/groups/desktop/obexautofs
View file

@ -17,10 +17,13 @@ profile obexautofs @{exec_path} {
@{exec_path} mr,
/usr/bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
owner @{HOME}/bluetooth/ r,
mount fstype=fuse.obexautofs -> @{HOME}/bluetooth/,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.obexautofs -> @{HOME}/*/,
mount fstype=fuse.obexautofs -> @{HOME}/*/*/,
@{sys}/bus/ r,
@{sys}/class/ r,
@ -31,10 +34,31 @@ profile obexautofs @{exec_path} {
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r,
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c189:* r,
@{run}/udev/data/c189:* r, # for /dev/bus/usb/**
/dev/bus/usb/ r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r,
/dev/fuse rw,
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/obexautofs>
}

32
apparmor.d/groups/desktop/obexfs
View file

@ -16,12 +16,38 @@ profile obexfs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
owner @{HOME}/bluetooth/ r,
mount fstype=fuse.obexfs -> @{HOME}/bluetooth/,
owner @{HOME}/*/ r,
owner @{HOME}/*/*/ r,
mount fstype=fuse.obexfs -> @{HOME}/*/,
mount fstype=fuse.obexfs -> @{HOME}/*/*/,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
network bluetooth stream,
/{usr/,}bin/fusermount{,3} mr,
/etc/fuse.conf r,
/dev/fuse rw,
mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/obexfs>
}

4
apparmor.d/groups/gvfs/gvfsd
View file

@ -16,8 +16,8 @@ profile gvfsd @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
# Don't strip env here.
/{usr/,}lib/gvfs/gvfsd-* rPx,
/usr/{lib,libexec}/gvfsd-* rPx,
/{usr/,}lib/gvfs/gvfsd-* rpx,
/usr/{lib,libexec}/gvfsd-* rpx,
/usr/share/gvfs/{,**} r,

12
apparmor.d/groups/gvfs/gvfsd-archive
View file

@ -15,9 +15,15 @@ profile gvfsd-archive @{exec_path} {
@{exec_path} mr,
owner /**.tar r,
owner /**.tar.gz r,
owner /**.zip r,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /media/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{tar,tar.gz,zip} r,
owner /media/**.{TAR,TAR.GZ,ZIP} r,
owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
owner /media/*/**.{iso,img,bin,mdf,nrg} r,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
include if exists <local/gvfsd-archive>
}

27
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -13,13 +13,34 @@ profile gvfsd-fuse @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
@{PROC}/sys/fs/pipe-max-size r,
/dev/fuse rw,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
capability dac_read_search,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
umount @{run}/user/[0-9]*/**/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/gvfsd-fuse>
}

1
apparmor.d/groups/gvfs/gvfsd-mtp
View file

@ -12,6 +12,7 @@ profile gvfsd-mtp @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
network netlink raw,

6
apparmor.d/groups/gvfs/gvfsd-network
View file

@ -17,5 +17,11 @@ profile gvfsd-network @{exec_path} {
owner @{run}/user/[0-9]*/gvfsd/ rw,
owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/[0-9]*/dconf/ rw,
owner @{run}/user/[0-9]*/dconf/user rw,
include if exists <local/gvfsd-network>
}

3
apparmor.d/groups/gvfs/gvfsd-smb-browse
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += /usr/{lib,libexec}/gvfsd-smb-browse
profile gvfsd-smb-browse @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
network inet stream,
@ -27,5 +28,7 @@ profile gvfsd-smb-browse @{exec_path} {
/etc/samba/smb.conf r,
owner @{run}samba/ rw,
include if exists <local/gvfsd-smb-browse>
}

27
apparmor.d/groups/ssh/sshfs
View file

@ -13,14 +13,35 @@ profile sshfs @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/ssh rPx,
/{usr/,}bin/fusermount{,3} rPx,
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
/dev/fuse rw,
mount fstype=fuse.sshfs -> @{HOME}/*/,
mount fstype=fuse.sshfs -> @{HOME}/*/*/,
mount fstype=fuse.sshfs -> /media/*/,
mount fstype=fuse.sshfs -> /media/*/*/,
@{PROC}/sys/fs/pipe-max-size r,
profile fusermount {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To mount anything:
capability sys_admin,
/{usr/,}bin/fusermount{,3} mr,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
/etc/fuse.conf r,
/dev/fuse rw,
@{PROC}/@{pid}/mounts r,
}
include if exists <local/sshfs>
}