felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reorganise the directories.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 17:02:49 +01:00
parent 91b15fcc73
commit 091d20d086
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
715 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/X.d/complete Normal file
View file

@ -0,0 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,

11
apparmor.d/abstractions/app-launcher-root Normal file
View file

@ -0,0 +1,11 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# Root app location
/ r,
/usr/ r,
/{usr/,}sbin/ r,
/{usr/,}sbin/[a-z0-9]* rPUx,

38
apparmor.d/abstractions/app-launcher-user Normal file
View file

@ -0,0 +1,38 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# User app location
/ r,
/usr/ r,
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx,
# Firefox
/{usr/,}lib/ r,
/{usr/,}lib/firefox/ r,
/{usr/,}lib/firefox/firefox* rPx,
# Google Chrome
/opt/ r,
/opt/google/ r,
/opt/google/chrome{,-beta,-unstable}/ r,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} rPx,
# Brave
/opt/brave.com/ r,
/opt/brave.com/brave{,-beta,-dev}/ r,
/opt/brave.com/brave{,-beta,-dev}/brave-browser{,-beta,-dev} rPx,
# Discord
/usr/share/ r,
/usr/share/discord/ r,
/usr/share/discord/Discord rPx,
# FreeTube
/opt/FreeTube/ r,
/opt/FreeTube/freetube rPx,
/opt/FreeTube-Vue/ r,
/opt/FreeTube-Vue/freetube-vue rPx,

28
apparmor.d/abstractions/apt-common Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/preferences r,
/etc/apt/preferences.d/{,*} r,
/etc/apt/sources.list r,
/etc/apt/sources.list.d/{,*.list} r,
/var/lib/apt/lists/{,**} r,
/var/lib/apt/extended_states r,
/var/cache/apt/pkgcache.bin r,
/var/cache/apt/srcpkgcache.bin r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/status r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,

10
apparmor.d/abstractions/audio.d/complete Normal file
View file

@ -0,0 +1,10 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/share/sounds/ r,
# PulseAudio module-ladspa-sink (plugin sc4m_1916)
/usr/lib/ladspa/ r,
/usr/lib/ladspa/*.so mr,

26
apparmor.d/abstractions/base.d/complete Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/writable/localtime r,
/usr/share/locale/ r,
# Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
# Allow to write a user defined fifo log devices
owner /dev/log-xsession w,
owner /dev/log-gnupg w,
deny owner @{HOME}/.Private/ r,
deny owner @{HOME}/.Private/** mrixwlk,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

21
apparmor.d/abstractions/deny-dconf Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
deny /etc/dconf/{,**} r,
# When this is blocked, expect lots of the following errors:
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
# dconf will not work properly.
deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
deny owner @{HOME}/.config/dconf/{,**} rw,
deny owner @{HOME}/.cache/dconf/{,**} rw,
# When GSETTINGS_BACKEND=keyfile
deny owner @{HOME}/.config/glib-2.0/ rw,
deny owner @{HOME}/.config/glib-2.0/settings/ rw,
deny owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
deny owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw,

16
apparmor.d/abstractions/deny-root-dir-access Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
# access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
# user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
#
# Note that some apps will work anyway when run as root even if all of the files in the /root/
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
# needed files in the user home dir.
abi <abi/3.0>,
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
audit deny /root/{,**} rwkmlx,

23
apparmor.d/abstractions/devices-usb Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/dev/ r,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
@{sys}/class/ r,
@{sys}/bus/ r,
@{sys}/bus/usb/ r,
@{sys}/bus/usb/devices/{,**} r,
@{sys}/devices/**/usb[0-9]/{,**} rw,
# Udev data about usb devices (~equal to content of lsusb -v)
@{run}/udev/data/+usb:* r,
@{run}/udev/data/c16[6,7]* r,
@{run}/udev/data/c18[0,8,9]* r,

79
apparmor.d/abstractions/disks-read Normal file
View file

@ -0,0 +1,79 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
# Regular disk/partition devices
/dev/sd[a-z] rk,
/dev/sd[a-z][0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rk,
/dev/mmcblk[0-9]*p[0-9]* rk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rk,
/dev/loop[0-9]*p[0-9]* rk,
@{sys}/devices/virtual/block/loop[0-9]*/ r,
@{sys}/devices/virtual/block/loop[0-9]*/** r,
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for ?

79
apparmor.d/abstractions/disks-write Normal file
View file

@ -0,0 +1,79 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# The /sys/ entries probably should be tightened
/dev/ r,
# Regular disk/partition devices
/dev/sd[a-z] rwk,
/dev/sd[a-z][0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
# SD card devices
/dev/mmcblk[0-9]* rwk,
/dev/mmcblk[0-9]*p[0-9]* rwk,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
# Loop devices
/dev/loop[0-9]* rwk,
/dev/loop[0-9]*p[0-9]* rwk,
@{sys}/devices/virtual/block/loop[0-9]*/ r,
@{sys}/devices/virtual/block/loop[0-9]*/** r,
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rwk,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZRAM devices
/dev/zram[0-9]* rwk,
@{sys}/devices/virtual/block/zram[0-9]*/ r,
@{sys}/devices/virtual/block/zram[0-9]*/** r,
# CD-ROM
/dev/sr[0-9]* rwk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
# visible in the /proc/devices file.
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
@{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
@{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
@{run}/udev/data/b11:[0-9]* r, # for /dev/sr*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/+usb:* r, # for ?

124
apparmor.d/abstractions/evince Normal file
View file

@ -0,0 +1,124 @@
# vim:syntax=apparmor
#
# abstraction used by evince binaries
#
include <abstractions/gnome>
include <abstractions/p11-kit>
include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# move out to the gnome abstraction if anyone else needs these
/dev/.udev/{data,db}/* r,
/etc/udev/udev.conf r,
/sys/devices/**/block/**/uevent r,
# apport
/etc/default/apport r,
# XFCE
/etc/xfce4/defaults.list r,
# Lubuntu
/etc/xdg/lubuntu/applications/defaults.list r,
# evince specific
/etc/ r,
/etc/fstab r,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
owner @{HOME}/.config/evince/ rw,
owner @{HOME}/.config/evince/** rwkl,
/usr/bin/gs-esp ixr,
/usr/bin/mktexpk Cx -> sanitized_helper,
/usr/bin/mktextfm Cx -> sanitized_helper,
/usr/bin/dvipdfm Cx -> sanitized_helper,
/usr/bin/dvipdfmx Cx -> sanitized_helper,
# supported archivers
/bin/gzip ixr,
/bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/bin/tar ixr,
/usr/bin/xz ixr,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/** r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRzZ7] r,
/**.[xX][zZ] r,
# Use abstractions/private-files instead of abstractions/private-files-strict
# and add the sensitive files manually to work around LP: #451422. The goal
# is to disallow access to the .mozilla folder in general, but to allow
# access to the Cache directory, which the browser may tell evince to open
# from directly.
include <abstractions/private-files>
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
audit deny @{HOME}/.pki/nssdb/** w,
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
audit deny @{HOME}/.config/chromium/** mrwkl,
audit deny @{HOME}/.evolution/** mrwkl,
audit deny @{HOME}/.config/evolution/** mrwkl,
audit deny @{HOME}/.kde/share/config/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
# When LP: #451422 is fixed, change the above to simply be:
include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details.
include <local/usr.bin.evince>

13
apparmor.d/abstractions/file-browsing-strict Normal file
View file

@ -0,0 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,
# Usually, apps shouldn't view this file
deny /etc/fstab r,
deny /dev/disk/*/ r,

19
apparmor.d/abstractions/flatpak-snap Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018 Nibaldo Gonzalez <nibgonz@gmail.com>
# 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# Flatpak
/var/lib/flatpak/exports/share/{,**} r,
/var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r,
owner @{HOME}/.local/share/flatpak/exports/share/{,**} r,
owner @{HOME}/.local/share/flatpak/app/{,**.desktop} r,
deny owner @{HOME}/.local/share/flatpak/** w,
# Snap
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
/var/lib/snapd/desktop/applications/ r,

42
apparmor.d/abstractions/fontconfig-cache-read Normal file
View file

@ -0,0 +1,42 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v
# There's no need to give apps the ability to create cache for their own. Apps can generate the
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
# the "fontconfig-cache-write" abstraction.
owner @{HOME}/.cache/fontconfig/ r,
deny @{HOME}/.cache/fontconfig/ w,
deny @{HOME}/.cache/fontconfig/** w,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/ r,
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/** w,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/ r,
deny /var/cache/fontconfig/ w,
deny /var/cache/fontconfig/** w,
/var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
/var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid r,
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
/usr/share/**/.uuid r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid" r,
deny "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,

27
apparmor.d/abstractions/fontconfig-cache-write Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
owner @{HOME}/.fontconfig/ rw,
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
# identify the font directory and is used to determine the cache filename if available.
owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
# For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
link "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",

6
apparmor.d/abstractions/freedesktop.org.d/complete Normal file
View file

@ -0,0 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r,

9
apparmor.d/abstractions/fzf Normal file
View file

@ -0,0 +1,9 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r,
owner @{HOME}/.fzf.* r,

45
apparmor.d/abstractions/gstreamer Normal file
View file

@ -0,0 +1,45 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/p11-kit>
include <abstractions/X>
# TODO: adjust when support finer-grained netlink rules
network netlink raw,
/etc/udev/udev.conf r,
/etc/wildmidi/wildmidi.cfg r,
/dev/ r,
/dev/bus/usb/ r,
/dev/dri/ r,
# /dev/shm is a symlink to /run/shm on ubuntu
owner /{dev,run}/shm/shmfd-* rw,
/run/udev/data/c* r,
/run/udev/data/+pci:* r,
/run/udev/data/+usb* r,
/sys/bus/ r,
/sys/bus/usb/devices/ r,
/sys/class/ r,
/sys/class/drm/ r,
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
owner /tmp/orcexec.* mrw,
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
# needed if /tmp is mounted noexec:
owner @{HOME}/orcexec.* mr,
/usr/lib/frei0r-[0-9]/*.so m,
# /usr/lib/@{multiarch}/dri/** mr,
/usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
/usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
/usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,

41
apparmor.d/abstractions/gtk Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/ r,
/usr/share/gtksourceview-[0-9]*/** r,
/usr/share/gtk-3.0/ r,
/usr/share/gtk-3.0/settings.ini r,
/etc/gtk-2.0/ r,
/etc/gtk-2.0/gtkrc r,
/etc/gtk-3.0/ r,
/etc/gtk-3.0/*.conf r,
/etc/gtk/gtkrc r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.config/gtkrc r,
owner @{HOME}/.config/gtkrc-2.0 r,
owner @{HOME}/.config/gtk-3.0/ rw,
owner @{HOME}/.config/gtk-3.0/settings.ini r,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/gtk-3.0/gtk.css r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ rw,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# .Xauthority file required for X connections
owner @{HOME}/.Xauthority r,
# Xsession errors file
owner @{HOME}/.xsession-errors w,

18
apparmor.d/abstractions/ibus.d/complete Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# abstract path in ibus < 1.5.22 uses /tmp
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),

31
apparmor.d/abstractions/kde4 Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/usr/share/kde4/** r,
/{usr/,}lib/kde4/*.so mr,
/{usr/,}lib/kde4/plugins/*/ r,
/{usr/,}lib/kde4/plugins/*/*.so mr,
# Create home KDE directory structure
owner @{HOME}/.kde{,4}/ rw,
owner @{HOME}/.kde{,4}/**/ rw,
owner @{HOME}/.config/kde.org/ rw,
owner @{HOME}/.config/kde.org/**/ rw,
# Common configs
owner @{HOME}/.kde{,4}/share/config/kdeglobals r,
owner @{HOME}/.kde{,4}/share/config/kdebugrc r,
owner @{HOME}/.kde{,4}/share/config/servicetype_profilerc r,
# Phonon
owner @{HOME}/.config/kde.org/libphonon.conf rk,
owner @{HOME}/.config/Trolltech.conf rk,
owner /var/tmp/kdecache-*/ r,
owner /var/tmp/kdecache-*/** r,
owner /var/tmp/kdecache-*/*.kcache rw,

60
apparmor.d/abstractions/kde5-plasma5 Normal file
View file

@ -0,0 +1,60 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
#/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr,
#/usr/share/plasma/look-and-feel/** r,
#/usr/share/color-schemes/*.colors r,
#/usr/share/kservices5/{,**/} r,
#/usr/share/kservices5/*.protocol r,
#/usr/share/knotifications5/plasma_workspace.notifyrc r,
# For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
# includes this abstraction)
#owner @{HOME}/.config/#[0-9]*[0-9] rwk,
#owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
#owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
#owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
# Common KDE config files
#owner @{HOME}/.config/#[0-9]*[0-9] rw,
#owner @{HOME}/.config/kdeglobals* rwkl -> @{HOME}/.config/#[0-9]*[0-9],
#owner @{HOME}/.config/baloofilerc r,
#owner @{HOME}/.config/dolphinrc r,
#owner @{HOME}/.config/trashrc r,
#owner @{HOME}/.config/knfsshare r,
#owner /**/.directory r,
# For bookmarks
#/{usr/,}bin/keditbookmarks rPUx,
#owner @{HOME}/.local/share/kfile/ rw,
#owner @{HOME}/.local/share/kfile/#[0-9]*[0-9] rw,
#owner @{HOME}/.local/share/kfile/bookmarks.xml* rwl -> @{HOME}/.local/share/kfile/#[0-9]*[0-9],
# Common cache files
#owner @{HOME}/.cache/icon-cache.kcache rw,
#owner @{HOME}/.cache/ksycoca5_* r,
# Think what to do about this #FIXME#
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
include <abstractions/recent-documents-write>
#signal (send) set=(term, kill) peer=unconfined,
#deny @{sys}/bus/ r,
#deny @{sys}/bus/usb/devices/ r,
#deny @{sys}/class/ r,
#deny @{run}/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc.
#deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
#deny @{run}/udev/data/+usb:* r, #
#/etc/exports r,
#/etc/xdg/menus/ r,
#/usr/share/mime/ r,
#owner @{HOME}/.config/menus/ r,
#owner @{HOME}/.config/menus/applications-merged/ r,

121
apparmor.d/abstractions/libvirt-lxc Normal file
View file

@ -0,0 +1,121 @@
#include <abstractions/base>
# Allow receiving signals from libvirtd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-lxc>

248
apparmor.d/abstractions/libvirt-qemu Normal file
View file

@ -0,0 +1,248 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# required for reading disk images
capability dac_override,
capability dac_read_search,
capability chown,
# needed to drop privileges
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
/dev/kvm rw,
/dev/net/tun rw,
/dev/ptmx rw,
@{PROC}/*/status r,
# When qemu is signaled to terminate, it will read cmdline of signaling
# process for reporting purposes. Allowing read access to a process
# cmdline may leak sensitive information embedded in the cmdline.
@{PROC}/@{pid}/cmdline r,
# Per man(5) proc, the kernel enforces that a thread may
# only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
@{PROC}/sys/vm/overcommit_memory r,
# detect hardware capabilities via qemu_getauxval
owner @{PROC}/*/auxv r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
/run/udev/data/+usb* r,
/run/udev/data/c16[6,7]* r,
/run/udev/data/c18[0,8,9]* r,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
/dev/snd/* rw,
/{dev,run}/shm r,
/{dev,run}/shmpulse-shm* r,
/{dev,run}/shmpulse-shm* rwk,
capability ipc_lock,
# spice
owner /{dev,run}/shm/spice.* rw,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
deny capability kill,
# Uncomment the following if you need access to /dev/fb*
#/dev/fb* rw,
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
owner /root/.pulse/* rw,
/usr/share/alsa/** r,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/var/lib/dbus/machine-id r,
# access to firmware's etc
/usr/share/AAVMF/** r,
/usr/share/bochs/** r,
/usr/share/edk2-ovmf/** r,
/usr/share/kvm/** r,
/usr/share/misc/sgabios.bin r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
/usr/share/OVMF/** r,
/usr/share/ovmf/** r,
/usr/share/proll/** r,
/usr/share/qemu-efi/** r,
/usr/share/qemu-kvm/** r,
/usr/share/qemu/** r,
/usr/share/seabios/** r,
/usr/share/sgabios/** r,
/usr/share/slof/** r,
/usr/share/vgabios/** r,
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
/etc/pki/qemu/ r,
/etc/pki/qemu/** r,
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/kvm-spice rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-aarch64 rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
/usr/bin/qemu-cris rmix,
/usr/bin/qemu-i386 rmix,
/usr/bin/qemu-kvm rmix,
/usr/bin/qemu-m68k rmix,
/usr/bin/qemu-microblaze rmix,
/usr/bin/qemu-microblazeel rmix,
/usr/bin/qemu-mips rmix,
/usr/bin/qemu-mips64 rmix,
/usr/bin/qemu-mips64el rmix,
/usr/bin/qemu-mipsel rmix,
/usr/bin/qemu-mipsn32 rmix,
/usr/bin/qemu-mipsn32el rmix,
/usr/bin/qemu-or32 rmix,
/usr/bin/qemu-ppc rmix,
/usr/bin/qemu-ppc64 rmix,
/usr/bin/qemu-ppc64abi32 rmix,
/usr/bin/qemu-ppc64le rmix,
/usr/bin/qemu-s390x rmix,
/usr/bin/qemu-sh4 rmix,
/usr/bin/qemu-sh4eb rmix,
/usr/bin/qemu-sparc rmix,
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-alpha rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-hppa rmix,
/usr/bin/qemu-system-i386 rmix,
/usr/bin/qemu-system-lm32 rmix,
/usr/bin/qemu-system-m68k rmix,
/usr/bin/qemu-system-microblaze rmix,
/usr/bin/qemu-system-microblazeel rmix,
/usr/bin/qemu-system-mips rmix,
/usr/bin/qemu-system-mips64 rmix,
/usr/bin/qemu-system-mips64el rmix,
/usr/bin/qemu-system-mipsel rmix,
/usr/bin/qemu-system-moxie rmix,
/usr/bin/qemu-system-nios2 rmix,
/usr/bin/qemu-system-or1k rmix,
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-riscv32 rmix,
/usr/bin/qemu-system-riscv64 rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
/usr/bin/qemu-system-sh4eb rmix,
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-tricore rmix,
/usr/bin/qemu-system-unicore32 rmix,
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-system-xtensa rmix,
/usr/bin/qemu-system-xtensaeb rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
/{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
/{usr/,}bin/cat rmix,
# for restore
/{usr/,}bin/bash rmix,
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
# for rbd
/etc/ceph/ceph.conf r,
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
# dir and a few known functions like samba support.
# We want to avoid to give blanket rw permission to everything under /tmp,
# users are expected to add site specific addons for more uncommon cases.
# Qemu processes usually all run as the same users, so the "owner"
# restriction prevents access to other services files, but not across
# different instances.
# This is a tradeoff between usability and security - if paths would be more
# predictable that would be preferred - at least for write rules we would
# want more unique paths per rule.
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
# allow connect with openGraphicsFD to work
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
# silence refusals to open lttng files (see LP: #1432644)
deny /dev/shm/lttng-ust-wait-* r,
deny /run/shm/lttng-ust-wait-* r,
# for vfio hotplug on systems without static vfio (LP: #1775777)
/dev/vfio/vfio rw,
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,
# required by libpmem init to fts_open()/fts_read() the symlinks in
# /sys/bus/nd/devices
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r,
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-qemu>

114
apparmor.d/abstractions/lightdm Normal file
View file

@ -0,0 +1,114 @@
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>
# This abstraction provides the majority of the confinement for guest sessions.
# It is in its own abstraction so we can have a centralized place for
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
# etc). Note that this profile intentionally omits chromium-browser.
# Requires apparmor 2.9
include <abstractions/authentication>
include <abstractions/cups-client>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice>
include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw,
/etc/compizconfig/unity.ini rw,
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/X11/Xsession ix,
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /{,run/}media/ r,
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
@{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
# needed for bamfdaemon and utilities such as ps and killall
@{PROC}/*/stat r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
# needed for confined trusted helpers, such as dbus-daemon
/sys/kernel/security/apparmor/.access rw,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/mir_socket rw,
/{,var/}run/screen/** wl,
/{,var/}run/shm/** wl,
/{,var/}run/uuidd/request w,
# libpam-xdg-support/logind
owner /{,var/}run/user/*/** rw,
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
signal peer=@{profile_name},
ptrace peer=@{profile_name},
# needed when logging out of the guest session
signal (receive) peer=unconfined,
unix peer=(label=@{profile_name}),
unix (receive) peer=(label=unconfined),
unix (create),
unix (getattr, getopt, setopt, shutdown),
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
unix (bind, listen) type=stream addr="@guest*",
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,

76
apparmor.d/abstractions/lightdm_chromium-browser Normal file
View file

@ -0,0 +1,76 @@
# vim:syntax=apparmor
# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <jamie@canonical.com>
# The abstraction provides the additional accesses required to launch
# chromium based browsers from within an lightdm session. Because AppArmor
# cannot yet merge profiles and because we want to utilize the access rules
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
# Requires apparmor 2.9
/usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
/opt/google/chrome/google-chrome Cx -> chromium,
# Allow ptracing processes in the chromium child profile
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow receiving and sending signals to processes in the chromium child profile
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow communications with chromium child profile via unix sockets
unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
profile chromium {
# Allow all the same accesses as other applications in the guest session
include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications.
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
@{PROC}/sys/kernel/shmmax r,
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability setuid, # for sandbox to drop privileges
capability sys_ptrace, # chromium needs this to keep track of itself
@{PROC}/sys/kernel/yama/ptrace_scope r,
# Allow ptrace reads of processes in the lightdm-guest-session
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow other guest session processes to read and trace us
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
ptrace (readby, tracedby) peer=@{profile_name},
# Allow us to receive and send signals from processes in the
# lightdm-guest-session
signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow us to receive and send on unix sockets from processes in the
# lightdm-guest-session
unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
@{PROC}/[0-9]*/statm r, # sandbox wants these
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pid}/gid_map w,
/selinux/ r,
/usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
}

225
apparmor.d/abstractions/lxc/container-base Normal file
View file

@ -0,0 +1,225 @@
network,
capability,
file,
umount,
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
# This also needs additional rules to reach outside of the container via
# DBus, so just let all of DBus within the container.
dbus,
# Allow us to receive signals from anywhere. Note: if per-container profiles
# are supported, for container isolation this should be changed to something
# like:
# signal (receive) peer=unconfined,
# signal (receive) peer=/usr/bin/lxc-start,
signal (receive),
# Allow us to send signals to ourselves
signal peer=@{profile_name},
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
# Allow receive via unix sockets from anywhere. Note: if per-container
# profiles are supported, for container isolation this should be changed to
# something like:
# unix (receive) peer=(label=unconfined),
unix (receive),
# Allow all unix in the container
unix peer=(label=@{profile_name}),
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
deny mount options=(ro, remount, silent) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow hugetlbfs mounts everywhere
mount fstype=hugetlbfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse,
mount fstype=fuse.*,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/acpi/** rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
# mount options=(rw,make-rslave) -> **,
# mount options=(rw,make-shared) -> **,
# mount options=(rw,make-rshared) -> **,
# mount options=(rw,make-private) -> **,
# mount options=(rw,make-rprivate) -> **,
# mount options=(rw,make-unbindable) -> **,
# mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow various ro-bind-*re*-mounts
mount options=(ro,remount,bind),
mount options=(ro,remount,bind,nosuid),
mount options=(ro,remount,bind,noexec),
mount options=(ro,remount,bind,nodev),
mount options=(ro,remount,bind,nosuid,noexec),
mount options=(ro,remount,bind,noexec,nodev),
mount options=(ro,remount,bind,nodev,nosuid),
mount options=(ro,remount,bind,nosuid,noexec,nodev),
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
mount options=(rw,move) /de[^v]*{,/**},
mount options=(rw,move) /dev/.[^l]*{,/**},
mount options=(rw,move) /dev/.l[^x]*{,/**},
mount options=(rw,move) /dev/.lx[^c]*{,/**},
mount options=(rw,move) /dev/.lxc?*{,/**},
mount options=(rw,move) /dev/[^.]*{,/**},
mount options=(rw,move) /dev?*{,/**},
mount options=(rw,move) /p[^r]*{,/**},
mount options=(rw,move) /pr[^o]*{,/**},
mount options=(rw,move) /pro[^c]*{,/**},
mount options=(rw,move) /proc?*{,/**},
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,

50
apparmor.d/abstractions/lxc/start-container Normal file
View file

@ -0,0 +1,50 @@
network,
capability,
file,
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
dbus,
signal,
ptrace,
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
mount fstype=debugfs,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
# required for some pre-mount hooks
mount fstype=overlayfs,
mount fstype=aufs,
mount fstype=ecryptfs,
# all umounts are under the original root's /mnt, but right now we
# can't allow those umounts after pivot_root. So allow all umounts
# right now. They'll be restricted for the container at least.
umount,
#umount /mnt/{**,},
# This may look a bit redundant, however it appears we need all of
# them if we want things to work properly on all combinations of kernel
# and userspace parser...
pivot_root /usr/lib*/lxc/,
pivot_root /usr/lib*/*/lxc/,
pivot_root /usr/lib*/lxc/**,
pivot_root /usr/lib*/*/lxc/**,
pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
change_profile -> lxc-*,
change_profile -> lxc-**,
change_profile -> unconfined,
change_profile -> :lxc-*:unconfined,

22
apparmor.d/abstractions/nameservice-strict Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/gai.conf r,
/etc/group r,
/etc/protocols r,
/etc/default/nss r,
/etc/services r,
# NSS records from systemd-userdbd.service
/{var,}run/systemd/userdb/ r,
/{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,

9
apparmor.d/abstractions/python.d/complete Normal file
View file

@ -0,0 +1,9 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
# Silencer
/{usr/,}lib/python3/** w,

19
apparmor.d/abstractions/systemd-common Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
ptrace (read),
owner @{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/kmsg w,
@{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,

13
apparmor.d/abstractions/thumbnails-cache-read Normal file
View file

@ -0,0 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/thumbnails/ r,
owner @{HOME}/thumbnails/{large,normal}/ r,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r,
owner @{HOME}/.cache/thumbnails/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png r,

15
apparmor.d/abstractions/thumbnails-cache-write Normal file
View file

@ -0,0 +1,15 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/thumbnails/ rw,
owner @{HOME}/thumbnails/{large,normal}/ rw,
owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{HOME}/.cache/thumbnails/{large,normal}/#[0-9]*[0-9],

31
apparmor.d/abstractions/tor Normal file
View file

@ -0,0 +1,31 @@
# vim:syntax=apparmor
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
network tcp,
network udp,
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
/usr/bin/tor r,
/usr/sbin/tor r,
# Needed by obfs4proxy
/proc/sys/net/core/somaxconn r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/tor/* r,
/usr/share/tor/** r,
/usr/bin/obfsproxy PUx,
/usr/bin/obfs4proxy Pix,

53
apparmor.d/abstractions/totem Normal file
View file

@ -0,0 +1,53 @@
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Description: Limit executable access and reasonable read access. A look at
# the gconf schema files for totem-video-thumbnailer reveals at least the
# following files:
# 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
# flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska,
# midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf,
# netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram,
# realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox,
# vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim,
# x-it, xm
#
# While ideally we would narrow down our read access to the above, this is
# a maintenance problem and doesn't work for files without extensions.
include <abstractions/gnome>
include <abstractions/gstreamer>
include <abstractions/nameservice>
include <abstractions/dbus-session>
# Allow read on all directories
/**/ r,
# Allow read on removable media and files in /usr/share and /usr/local/share
/usr/local/share/** r,
/usr/share/** r,
/{media,mnt,opt,srv}/** r,
owner @{HOME}/.cache/mesa/** rwk,
owner @{HOME}/.cache/thumbnails/** rw,
owner @{HOME}/.cache/totem/ rw,
owner @{HOME}/.cache/totem/** rwk,
owner @{HOME}/.cache/totem-* rwk,
owner @{HOME}/.cache/tracker/db-locale.txt r,
owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
owner @{HOME}/.cache/tracker/ontologies.gvdb r,
owner @{HOME}/.config/totem/ rwk,
owner @{HOME}/.config/totem/** rwk,
owner @{HOME}/.local/share/grilo-plugins/ rwk,
owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{HOME}/.local/share/gvfs-metadata/** r,
owner @{HOME}/.local/share/totem/ rwk,
owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk,
owner @{PROC}/@{pid}/{mountinfo,status} r,
/run/udev/data/c* r,
/run/udev/data/+drm:card* r,
/run/udev/data/+usb* r,
/sys/devices/system/node/*/meminfo r,

44
apparmor.d/abstractions/trash Normal file
View file

@ -0,0 +1,44 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
# Home trash location
owner @{HOME}/.local/share/Trash/ rw,
owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
owner @{HOME}/.local/share/Trash/files/{,**} rw,
owner @{HOME}/.local/share/Trash/info/ rw,
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
owner @{HOME}/.local/share/Trash/expunged/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/.Trash/ rw,
owner /media/*/.Trash/[0-9]*/ rw,
owner /media/*/.Trash/[0-9]*/#[0-9]*[0-9] rw,
owner /media/*/.Trash/[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash/[0-9]*/#[0-9]*[0-9],
owner /media/*/.Trash/[0-9]*/files/{,**} rw,
owner /media/*/.Trash/[0-9]*/info/ rw,
owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash/[0-9]*/expunged/ rw,
owner /media/*/.Trash/[0-9]*/expunged/[0-9]* rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/.Trash-[0-9]*/ rw,
owner /media/*/.Trash-[0-9]*/#[0-9]*[0-9] rw,
owner /media/*/.Trash-[0-9]*/directorysizes{,.*} rwl -> /media/*/.Trash-[0-9]*/#[0-9]*[0-9],
owner /media/*/.Trash-[0-9]*/files/{,**} rw,
owner /media/*/.Trash-[0-9]*/info/ rw,
owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash-[0-9]*/expunged/ rw,
owner /media/*/.Trash-[0-9]*/expunged/[0-9]* rw,

18
apparmor.d/abstractions/user-download-strict Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/[dD]ownload{,s}/ r,
owner @{HOME}/[dD]ownload{,s}/** rwl,
owner /media/*/[dD]ownload/ r,
owner /media/*/[dD]ownload/** rwl,
owner @{HOME}/[dD]esktop/ r,
owner @{HOME}/[dD]esktop/** rwl,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r,
@{HOME}/mount-sshfs/** rwl,

14
apparmor.d/abstractions/vlc-art-cache-write Normal file
View file

@ -0,0 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/ rw,
owner @{HOME}/.cache/vlc/art/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/ rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art rw,
owner @{HOME}/.cache/vlc/art/artistalbum/**/art.jpg rw,

8
apparmor.d/abstractions/wayland.d/complete Normal file
View file

@ -0,0 +1,8 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
owner /dev/shm/wlroots-* rw,

8
apparmor.d/abstractions/wutmp.d/complete Normal file
View file

@ -0,0 +1,8 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
deny /var/log/wtmp wk,
/var/log/wtmp rwk,
/var/log/btmp rwk,

24
apparmor.d/abstractions/zsh Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
/usr/share/zsh/{,**} r,
/usr/local/share/zsh/{,**} r,
/{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr,
/etc/zsh/zshenv r,
/etc/zsh/zshrc r,
/etc/zsh/zprofile r,
/etc/zsh/zlogin r,
owner @{HOME}/.zshrc r,
owner @{HOME}/.zsh_history rw,
owner @{HOME}/.zsh_history.LOCK rwk,
owner @{HOME}/.oh-my-zsh/{,**} r,
owner @{HOME}/.oh-my-zsh/log/update.lock/ w,
owner @{HOME}/.zcompdump-* rw,

300
apparmor.d/groups/apps/android-studio Normal file
View file

@ -0,0 +1,300 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{AS_LIBDIR} = /media/*/android-studio
@{AS_SDKDIR} = /media/*/SDK
@{AS_HOMEDIR} = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects
@{exec_path} = @{AS_LIBDIR}/bin/studio.sh
profile android-studio @{exec_path} {
include <abstractions/base>
#icnlude <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/ssl_certs>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/python>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
capability sys_ptrace,
signal (send) set=(term, kill) peer=android-studio//lsb-release,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/which rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/chattr rix,
/{usr/,}bin/setsid rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/kill rix,
/{usr/,}bin/lsusb rPx,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/git rPx,
/{usr/,}bin/lsb_release rCx -> lsb-release,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix,
/etc/java-[0-9]*-openjdk/** r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/ssl/certs/java/cacerts r,
/ r,
/home/ r,
/media/ r,
/media/*/ r,
/usr/ r,
/{usr/,}lib/ r,
/{usr/,}lib{x32,32,64}/ r,
@{AS_LIBDIR}/ rw,
@{AS_LIBDIR}/** mrwkix,
# A standard system android SDK location.
# Currently there is only the target platform of API Level 23 packaged, so only apps targeted at
# android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in
# order to use the SDK, build scripts need to be modified.
/{usr/,}lib/android-sdk/ r,
/{usr/,}lib/android-sdk/** mrkix,
/usr/share/android-sdk-platform-*/{,**} r,
deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w,
deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w,
deny /{usr/,}lib/android-sdk/.knownPackages w,
# This one is used if the standard android SDK location is missing
@{AS_SDKDIR}/ rw,
@{AS_SDKDIR}/** mrwkix,
owner @{AS_HOMEDIR}/ rw,
owner @{AS_HOMEDIR}/** mrwkix,
owner @{AS_PROJECTDIR}/ rw,
owner @{AS_PROJECTDIR}/** rwk,
owner @{HOME}/AndroidStudio/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/ rw,
owner @{HOME}/AndroidStudio/DeviceExplorer/** rw,
owner @{HOME}/Android/ rw,
owner @{HOME}/Android/** mrwkix,
owner "@{HOME}/.config/Android Open Source Project/" rw,
owner "@{HOME}/.config/Android Open Source Project/**" rwk,
owner @{HOME}/.config/Google/ rw,
owner @{HOME}/.config/Google/** rwk,
owner @{HOME}/.cache/ rw,
owner "@{HOME}/.cache/Android Open Source Project/" rw,
owner "@{HOME}/.cache/Android Open Source Project/**" rw,
owner @{HOME}/.cache/Google/ rw,
owner @{HOME}/.cache/Google/** rwk,
# To remove the following error:
# Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp
# java.io.IOException: Cannot run program
# "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix,
#
owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk,
owner @{HOME}/.cache/JNA/ rw,
owner @{HOME}/.cache/JNA/** rw,
owner @{HOME}/.gradle/ rw,
owner @{HOME}/.gradle/** mrwkix,
owner @{HOME}/ r,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**,
owner @{HOME}/.local/share/Google/ rw,
owner @{HOME}/.local/share/Google/** rw,
owner @{HOME}/.local/share/kotlin/ rw,
owner @{HOME}/.local/share/kotlin/** rw,
owner "@{HOME}/.local/share/Android Open Source Project/" rw,
owner "@{HOME}/.local/share/Android Open Source Project/**" rwk,
owner @{HOME}/.java/ rw,
owner @{HOME}/.java/fonts/ rw,
owner @{HOME}/.java/fonts/*/ rw,
owner @{HOME}/.java/fonts/*/fcinfo*.tmp rw,
owner @{HOME}/.java/fonts/*/fcinfo*.properties rw,
owner @{HOME}/.java/.userPrefs/ rw,
owner @{HOME}/.java/.userPrefs/** rwk,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.emulator_console_auth_token rw,
deny owner @{HOME}/Desktop/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/partitions r,
@{PROC}/vmstat r,
@{PROC}/loadavg r,
@{sys}/fs/cgroup/{,**} r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/** rwk,
owner /tmp/native-platform[0-9]*dir/*.so rwm,
owner /{var,}run/user/[0-9]*/avd/ rw,
owner /{var,}run/user/[0-9]*/avd/running/ rw,
owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/kvm rw,
@{sys}/devices/virtual/block/**/rotational r,
profile gpg {
include <abstractions/base>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
}
profile lsb-release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(term, kill) peer=android-studio,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/dpkg/origins/** r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
owner /tmp/android-*/emulator-* w,
owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w,
# file_inherit
owner @{HOME}/.android/avd/** r,
/dev/dri/card[0-9]* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/mpv rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/android-studio>
}

205
apparmor.d/groups/apps/atom Normal file
View file

@ -0,0 +1,205 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
profile atom @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/enchant>
# The following doesn't seem to be needed
##include <abstractions/mesa>
##include <abstractions/consoles>
##include <abstractions/audio>
##include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
##include <abstractions/zsh>
##include <abstractions/fzf>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
ptrace (read) peer=xdg-settings,
@{exec_path} mrix,
/usr/share/atom/** r,
/usr/share/atom/libffmpeg.so mr,
/usr/share/atom/libnode.so mr,
/usr/share/atom/resources/**/bin/* rix,
/usr/share/atom/resources/**.node mr,
/usr/share/atom/resources/**/libexec/** rix,
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/ r,
#/{usr/,}bin/{,ba,da}sh rix,
#/{usr/,}bin/zsh rix,
#/{usr/,}bin/env rix,
#/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix,
#/{usr/,}bin/gawk rix,
#/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix,
#/{usr/,}bin/xwininfo rix,
#/{usr/,}bin/date rix,
# The expr and uname tools are needed or Atom won't start with the following error:
# Your platform () is not supported.
/{usr/,}bin/expr rix,
/{usr/,}bin/uname rix,
# The following also are needed to start Atom
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/git rPUx,
# Needed to sign commits
/{usr/,}bin/gpg rCx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
# Unexpected end of JSON input:
#owner @{HOME}/ r,
owner @{HOME}/.atom/ rw,
owner @{HOME}/.atom/** rwkl -> @{HOME}/.atom/**,
owner @{HOME}/.config/Atom/ rw,
owner @{HOME}/.config/Atom/** rwkl -> @{HOME}/.config/Atom/**,
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/atom/ r,
owner /media/*/atom/** rwkl -> /media/*/atom/**,
owner @{HOME}/.config/git/config r,
# To remove the following error:
# Error initializing NSS with a persistent database
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or atom gets crash with the following error:
# FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
#
deny @{PROC}/vmstat r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/@{pid}/fd/ r,
# Needed to remove the following error:
# Failed to activate the metrics package
# EACCES: permission denied, uv_resident_set_memory
@{PROC}/@{pids}/stat r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/loginuid r,
deny /dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/kernel/mm/transparent_hugepage/enabled r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/atom-[0-9a-f]*.sock rw,
owner "/tmp/Atom Crashes/" rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,
owner /tmp/github-[0-9]*-[0-9]*-*.*/git-{credential,askpass}-atom.{js,sh} rwix,
owner /tmp/github-[0-9]*-[0-9]*-*.*/linux-ssh-wrapper.sh rwix,
owner /tmp/github-[0-9]*-[0-9]*-*.*/gpg-wrapper.sh rwix,
owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/ rw,
owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/** rw,
owner /tmp/net-export/ rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
/{usr/,}bin/gpg mr,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
# file_inherit
owner @{HOME}/.xsession-errors w,
/usr/share/atom/** r,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/atom>
}

191
apparmor.d/groups/apps/calibre Normal file
View file

@ -0,0 +1,191 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# PDF extensions
# pdf, epub, txt, html, mhtml, ps, mobi, djvu
@{calibre_ext} = [pP][dF][fF]
@{calibre_ext} += [eE][pP][uU][bB]
@{calibre_ext} += [tT][xX][tT]
@{calibre_ext} += {[mM],}[hH][tT][mM][lL]
@{calibre_ext} += [pP][sS]
@{calibre_ext} += [mM][oO][bB][iI]
@{calibre_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@{exec_path} += /{usr/,}bin/fetch-ebook-metadata
@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
@{exec_path} += /{usr/,}bin/web2disk
profile calibre @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/trash>
include <abstractions/python>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
capability sys_ptrace,
network netlink raw,
@{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r,
#/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/file rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-mime rPx,
# Which files calibre should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{calibre_ext} rw,
/usr/share/calibre/{,**} r,
owner /media/*/Calibre_Library/ r,
owner /media/*/Calibre_Library*/ rw,
owner /media/*/Calibre_Library*/** rwkl -> /media/*/Calibre_Library*/**,
owner @{HOME}/.config/calibre/ rw,
owner @{HOME}/.config/calibre/** rwk,
owner @{HOME}/.local/share/calibre-ebook.com/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rwk,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/calibre/ rw,
owner @{HOME}/.cache/calibre/** rwkl -> @{HOME}/.cache/calibre/**,
owner @{HOME}/.cache/qtshadercache/ rw,
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner /tmp/calibre_*_tmp_*/{,**} rw,
owner /tmp/calibre-*/{,**} rw,
owner /tmp/[0-9]*-*/ rw,
owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,
owner /tmp/* rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/route r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/vmstat r,
/etc/fstab r,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# no new privs
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**.pak r,
@{sys}/devices/pci[0-9]*/**/irq r,
/dev/shm/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/etc/mime.types r,
/etc/inputrc r,
/etc/magic r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/chromium rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}bin/ebook-edit rPx,
owner /{home,media}/**.@{calibre_ext} rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/calibre>
}

140
apparmor.d/groups/apps/code Normal file
View file

@ -0,0 +1,140 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
profile code @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The following doesn't seem to be needed
##include <abstractions/mesa>
##include <abstractions/consoles>
##include <abstractions/audio>
##include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
@{exec_path} mrix,
/usr/share/code/** r,
/usr/share/code/libffmpeg.so mr,
/usr/share/code/resources/**/bin/* rix,
/usr/share/code/resources/**.node mr,
# The bash shell is needed only when you want to start code via bin/code. Also the shells are
# needed if you plan to operate on the built in terminal. If you don't need the built in terminal
# and want to use the linux one, the following three lines can be commented out.
#/{usr/,}bin/{,ba,da}sh rix,
# /{usr/,}bin/zsh rix,
#/{usr/,}bin/dirname rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/id rix,
#/{usr/,}bin/readlink rix,
#/{usr/,}bin/which rix,
#/{usr/,}sbin/ifconfig rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/git rPUx,
# Needed to sign commits
/{usr/,}bin/gpg rPUx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
# Unexpected end of JSON input:
#owner @{HOME}/ r,
owner @{HOME}/.config/Code/ rw,
owner @{HOME}/.config/Code/** rwkl -> {HOME}/.config/Code/**,
owner @{HOME}/.vscode/ rw,
owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,
# Git dirs
/ r,
/media/ r,
owner /media/*/ r,
owner /media/*/code/ r,
owner /media/*/code/** rwkl -> /media/*/code/**,
# To remove the following error:
# Error initializing NSS with a persistent database
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or code gets crash with the following error:
# FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
#
deny @{PROC}/version r,
#
deny @{PROC}/vmstat r,
@{PROC}/@{pid}/fd/ r,
# Needed to remove the following error:
# Failed to activate the metrics package
# EACCES: permission denied, uv_resident_set_memory
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/statm r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/net/dev r,
deny owner @{PROC}/@{pid}/net/if_inet6 r,
deny owner @{PROC}/@{pids}/cmdline r,
deny /dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
/var/tmp/ r,
/tmp/ r,
owner "/tmp/VSCode Crashes/" rw,
owner /tmp/vscode-typescript[0-9]*/ rw,
owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
# For installing extensions
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/code>
}

213
apparmor.d/groups/apps/discord Normal file
View file

@ -0,0 +1,213 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
profile discord @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
# Needed for Game Activity
deny capability sys_ptrace,
deny ptrace (read),
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/xdg-open rCx -> open,
#/{usr/,}bin/lsb_release rCx -> lsb_release,
#/{usr/,}bin/xdg-mime rCx -> xdg-mime,
deny /{usr/,}bin/lsb_release mrx,
deny /{usr/,}bin/xdg-mime mrx,
@{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r,
# @{DISCORD_LIBDIR}/**.so mr,
# @{DISCORD_LIBDIR}/libEGL.so mr,
# @{DISCORD_LIBDIR}/libGLESv2.so mr,
# To remove the following error:
# discord-canary: error while loading shared libraries: libffmpeg.so: cannot open shared object
# file: No such file or directory
@{DISCORD_LIBDIR}/libffmpeg.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr,
@{DISCORD_LIBDIR}/chrome-sandbox rPx,
owner @{DISCORD_HOMEDIR}/ rw,
owner @{DISCORD_HOMEDIR}/** rwk,
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/*.node mrwk,
owner @{DISCORD_HOMEDIR}/[0-9]*/modules/discord_[a-z]*/lib*.so.[0-9] mrw,
# Reading of the /proc/ dir is needed to start discord.
# Otherwise it returns the following error:
# [:FATAL:proc_util.cc(36)] : Permission denied (13)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/vmstat r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny @{PROC}/@{pids}/cmdline r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# To avoid the following error:
# kernel: traps: Discord[] trap int3 ip:7fa5b7541885 sp:7ffff5539c40 error:0
# in libglib-2.0.so.0.6000.6[7fa5b7508000+80000]
/usr/share/glib-2.0/schemas/gschemas.compiled r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
@{sys}/devices/pci[0-9]*/**/irq r,
deny /dev/ r,
deny /dev/shm/ rw,
owner /dev/shm/.org.chromium.Chromium.* rw,
/var/tmp/ r,
/tmp/ r,
owner /tmp/net-export/ rw,
owner /tmp/discord.sock rw,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/discord1_[0-9]*.png rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
owner /tmp/.org.chromium.Chromium.*/SS rw,
owner "/tmp/Discord Crashes/" rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile xdg-mime {
include <abstractions/base>
include <abstractions/freedesktop.org>
/{usr/,}bin/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/sed rix,
# file_inherit
/usr/share/discord/** r,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
owner @{HOME}/.config/discord/GPUCache/index rw,
}
profile lsb_release {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
signal (receive) set=(kill, term) peer=discord,
/{usr/,}bin/lsb_release r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
owner @{PROC}/@{pid}/fd/ r,
/etc/debian_version r,
/etc/dpkg/origins/debian r,
/usr/share/distro-info/debian.csv r,
# file_inherit
deny /usr/share/discord/** r,
deny owner /dev/shm/.org.chromium.Chromium.* rw,
deny owner @{HOME}/.config/discord/GPUCache/data_[0-9] rw,
deny owner @{HOME}/.config/discord/*/modules/discord_desktop_core/core.asar r,
deny owner @{HOME}/.config/discord/GPUCache/index rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/discord>
}

40
apparmor.d/groups/apps/discord-chrome-sandbox Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
profile discord-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
# optional
capability sys_resource,
@{exec_path} mr,
# Do not strip env to avoid errors like the following:
# /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
# shared object file: No such file or directory
# [1] 777862 trace trap discord
@{DISCORD_LIBDIR}/Discord rpx,
@{PROC}/@{pids}/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
include if exists <local/discord-chrome-sandbox>
}

149
apparmor.d/groups/apps/dropbox Normal file
View file

@ -0,0 +1,149 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
@{exec_path} = /{usr/,}bin/dropbox
profile dropbox @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/qt5-settings-write>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
ptrace peer=@{profile_name},
@{exec_path} r,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* r,
# Dropbox home files
owner @{HOME}/ r,
owner @{DROPBOX_HOME_DIR}/ rw,
owner @{DROPBOX_HOME_DIR}/** rwk,
# Shared files
owner @{DROPBOX_SHARE_DIR}/ rw,
owner @{DROPBOX_SHARE_DIR}/{,**} rw,
# Dropbox proprietary demon files
owner @{DROPBOX_DEMON_DIR}/{,**} rw,
owner @{DROPBOX_DEMON_DIR}/dropboxd rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix,
owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw,
owner @{HOME}/.dropbox-dist-old*/{,**} rw,
owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
# For autostart
deny owner @{HOME}/.config/autostart/dropbox.desktop rw,
# What's this for?
/{usr/,}bin/mount mrix,
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
@{sys}/devices/virtual/block/loop[0-9]/ r,
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
@{run}/mount/utab r,
deny @{PROC}/ r,
# Dropbox doesn't sync without the 'stat' file
owner @{PROC}/@{pid}/stat r,
#
deny owner @{PROC}/@{pid}/statm r,
deny owner @{PROC}/@{pid}/io r,
deny @{PROC}/@{pid}/net/tcp{,6} r,
deny @{PROC}/@{pid}/net/udp{,6} r,
# When "cmdline" is blocked, Dropbox has some issues while starting:
# The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon
@{PROC}/@{pid}/cmdline r,
#
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/* r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/version r,
# To remove the following error:
# RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0
# ([Errno 13] Permission denied: '/proc/vmstat')
@{PROC}/vmstat r,
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
owner /tmp/dropbox-antifreeze-* rw,
owner /tmp/[a-zA-z0-9]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /var/tmp/etilqs_* rw,
@{run}/systemd/users/[0-9]* r,
deny @{sys}/module/apparmor/parameters/enabled r,
# External apps
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/dropbox>
}

72
apparmor.d/groups/apps/filezilla Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/filezilla
profile filezilla @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
include <abstractions/user-download-strict>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=fzsftp,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/uname rix,
# When using SFTP protocol
/{usr/,}bin/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
owner @{HOME}/ r,
owner @{HOME}/.config/filezilla/ rw,
owner @{HOME}/.config/filezilla/* rwk,
owner @{HOME}/.cache/filezilla/ rw,
owner @{HOME}/.cache/filezilla/default_*.png rw,
/usr/share/filezilla/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# Creating new files on FTP
/tmp/ r,
owner /tmp/fz[0-9]temp-[0-9]*/ rw,
owner /tmp/fz[0-9]temp-[0-9]*/fz*-lockfile rwk,
owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw,
# External apps
/{usr/,}lib/firefox/firefox rPUx,
# FTP share folder
owner /media/*/ftp/ r,
owner /media/*/ftp/** rw,
# Silencer
/ r,
/*/ r,
/*/*/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/filezilla>
}

97
apparmor.d/groups/apps/flameshot Normal file
View file

@ -0,0 +1,97 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/flameshot
profile flameshot @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
network netlink dgram,
@{exec_path} mr,
/{usr/,}bin/whoami rix,
/{usr/,}bin/xdg-open rCx -> open,
# Flameshot home files
owner @{HOME}/.config/flameshot/ rw,
owner @{HOME}/.config/flameshot/flameshot.ini rw,
owner @{HOME}/.config/flameshot/#[0-9]*[0-9] rw,
owner @{HOME}/.config/flameshot/flameshot.ini* rwl -> @{HOME}/.config/flameshot/#[0-9]*[0-9],
owner @{HOME}/.config/flameshot/flameshot.ini.lock rwk,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
owner /tmp/.*/{,s} rw,
owner /tmp/*= rw,
owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/flameshot>
}

146
apparmor.d/groups/apps/freetube Normal file
View file

@ -0,0 +1,146 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
profile freetube @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
@{FT_LIBDIR}/ r,
@{FT_LIBDIR}/** r,
@{FT_LIBDIR}/libffmpeg.so mr,
@{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{FT_LIBDIR}/chrome-sandbox rPx,
owner @{HOME}/ r,
owner @{HOME}/.config/FreeTube/ rw,
owner @{HOME}/.config/FreeTube/** rwk,
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.*/ rw,
owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
owner /tmp/.org.chromium.Chromium.*/SS w,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/net-export/ rw,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.* rw,
# The /proc/ dir is needed to avoid the following error:
# traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in
# freetube[56499b8a8000+531e000]
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
# @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
# @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pids}/oom_{,score_}adj r,
deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
deny @{PROC}/vmstat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
/etc/fstab r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{HOME}/.local/share r,
deny @{sys}/devices/virtual/tty/tty0/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
deny @{sys}/devices/pci[0-9]*/**/irq r,
# Needed?
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{run}/user/[0-9]*/ r,
# no new privs
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-open rCx -> open,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/freetube>
}

35
apparmor.d/groups/apps/freetube-chrome-sandbox Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{FT_LIBDIR} = /{usr/,}lib/freetube
@{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
@{exec_path} = @{FT_LIBDIR}/chrome-sandbox
profile freetube-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/deny-root-dir-access>
capability sys_admin,
capability setgid,
capability setuid,
capability sys_chroot,
@{exec_path} mr,
# Has to be lower "P"
@{FT_LIBDIR}/freetube{,-vue} rpx,
@{PROC}/@{pids}/ r,
owner @{PROC}/@{pid}/oom_{,score_}adj r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
include if exists <local/freetube-chrome-sandbox>
}

119
apparmor.d/groups/apps/geany Normal file
View file

@ -0,0 +1,119 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/geany
profile geany @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/enchant>
include <abstractions/nameservice-strict>
# To edit system files as root.
capability dac_read_search,
capability dac_override,
deny capability sys_nice,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# For the sorting feature
/{usr/,}bin/sort rix,
# When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following
# root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Geany works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/usr/share/geany/{,**} r,
owner @{HOME}/.config/geany/{,**} rw,
owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw,
# To read/write files in the system. The read permission is granted for all files, the write
# permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in
# the list.
/ r,
/boot/ r,
/boot/** r,
owner /boot/** rw,
/etc/ r,
/etc/** r,
owner /etc/** rw,
/efi/ r,
/efi/** r,
owner /efi/** rw,
/home/ r,
/home/** r,
owner /home/** rw,
/lost+found/ r,
/lost+found/** r,
owner /lost+found/** rw,
/media/ r,
/media/** r,
owner /media/** rw,
/mnt/ r,
/mnt/** r,
owner /mnt/** rw,
/opt/ r,
/opt/** r,
owner /opt/** rw,
/root/ r,
/root/** r,
owner /root/** rw,
/run/ r,
/run/** r,
owner /run/** rw,
/srv/ r,
/srv/** r,
owner /srv/** rw,
/tmp/ r,
/tmp/** r,
owner /tmp/** rw,
/usr/ r,
/usr/** r,
owner /usr/** rw,
/var/ r,
/var/** r,
owner /var/** rw,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
@{HOME}/.Xauthority r,
}
include if exists <local/geany>
}

123
apparmor.d/groups/apps/okular Normal file
View file

@ -0,0 +1,123 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{okular_ext} = [pP][dD][fF]
@{exec_path} = /{usr/,}bin/okular
profile okular @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/audio>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/dri-enumerate>
include <abstractions/kde-icon-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Which media files Okular should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
/tmp/ r,
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/okularrc rw,
owner @{HOME}/.config/okularrc.lock rwk,
owner @{HOME}/.config/okularrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/okularpartrc rw,
owner @{HOME}/.config/okularpartrc.lock rwk,
owner @{HOME}/.config/okularpartrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/kdeglobals r,
owner @{HOME}/.config/kwalletrc r,
owner @{HOME}/.local/share/okular/{,**} rw,
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/okular/{,**} rw,
/usr/share/okular/{,**} r,
/usr/share/kxmlgui5/okular/{,*} r,
/usr/share/poppler/** r,
/usr/share/hwdata/pnp.ids r,
/etc/xdg/ui/ui_standards.rc r,
@{PROC}/sys/kernel/core_pattern r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Search phrase in google
/{usr/,}bin/xdg-open rCx -> open,
/usr/share/kservices5/searchproviders/{,*.desktop} r,
/usr/share/kservices5/{,*.protocol} r,
/etc/xdg/kshorturifilterrc r,
# Print to pdf
/{usr/,}bin/ps2pdf rPUx,
owner /tmp/[0-9a-f]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
# About
/usr/share/kf5/licenses/GPL_V2 r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/okular>
}

72
apparmor.d/groups/apps/signal-desktop Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
# Signal installation dir
@{SIGNAL_INSTALLDIR}/ r,
@{SIGNAL_INSTALLDIR}/** r,
@{SIGNAL_INSTALLDIR}/libnode.so mr,
@{SIGNAL_INSTALLDIR}/libffmpeg.so mr,
@{SIGNAL_INSTALLDIR}/chrome-sandbox rPx,
# Signal home dirs
@{SIGNAL_HOMEDIR}/ rw,
@{SIGNAL_HOMEDIR}/** rwk,
#owner @{HOME}/.pki/nssdb/pkcs11.txt r,
#owner @{HOME}/.pki/nssdb/cert9.db rwk,
#owner @{HOME}/.pki/nssdb/key4.db rwk,
# Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in
# your system, use the TMPDIR variable to set some other tmp dir.
/tmp/ r,
owner /tmp/.org.chromium.Chromium.* mrw,
/var/tmp/ r,
owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
@{PROC}/vmstat r,
deny /dev/shm/ r,
/dev/shm/.org.chromium.Chromium.* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/getconf rix,
include if exists <local/signal-desktop>
}

23
apparmor.d/groups/apps/signal-desktop-chrome-sandbox Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
@{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
profile signal-desktop-chrome-sandbox @{exec_path} {
include <abstractions/base>
include <abstractions/deny-root-dir-access>
@{exec_path} mr,
@{SIGNAL_INSTALLDIR}/signal-desktop rPx,
include if exists <local/signal-desktop-chrome-sandbox>
}

87
apparmor.d/groups/apps/spotify Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
profile spotify @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/audio>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
@{exec_path} mrix,
/usr/share/spotify/{,**} r,
/usr/share/spotify/libcef.so mr,
/usr/share/spotify/swiftshader/libGLESv2.so mr,
/usr/share/spotify/swiftshader/libEGL.so mr,
owner @{HOME}/.config/spotify/ rw,
owner @{HOME}/.config/spotify/** rw,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/spotify/ rw,
owner @{HOME}/.cache/spotify/** rwk,
owner @{HOME}/.Xauthority r,
# The /proc/ dir is needed to avoid the following errors:
# [:FATAL:proc_util.cc(36)] : Permission denied (13)
# [:FATAL:sandbox_linux.cc(484)] : Permission denied (13)
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pids}/task/ r,
deny owner @{PROC}/@{pids}/task/@{tid}/stat r,
deny owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pids}/oom_score_adj w,
deny @{PROC}/vmstat r,
@{PROC}sys/kernel/yama/ptrace_scope r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
owner /dev/shm/.org.chromium.Chromium.* rw,
deny @{sys}/devices/virtual/tty/tty[0-9]*/active r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
deny @{sys}/devices/pci[0-9]*/**/irq r,
deny /var/lib/dbus/machine-id r,
deny /etc/machine-id r,
/usr/share/X11/XErrorDB r,
/tmp/ r,
owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# What's this for?
#owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
/var/tmp/ r,
deny owner @{HOME}/.pki/ rw,
deny owner @{HOME}/.pki/nssdb/ rw,
deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
include if exists <local/spotify>
}

117
apparmor.d/groups/apps/telegram-desktop Normal file
View file

@ -0,0 +1,117 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
@{exec_path} = /{usr/,}bin/telegram-desktop
profile telegram-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/enchant>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
# Launch external apps
/{usr/,}bin/xdg-open rCx -> open,
# What's this for?
deny /{usr/,}bin/fc-list rx,
# Telegram files
/usr/share/TelegramDesktop/{,**} r,
# Download dir
owner @{TELEGRAM_WORK_DIR}/ rw,
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9],
# Telegram's profile (via telegram -many -workdir ~/some/dir/)
#owner @{TELEGRAM_WORK_DIR}/{,**} rw,
# Autostart
owner @{HOME}/.config/autostart/telegramdesktop.desktop rw,
/dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Needed when saving files as, or otherwise the app crashes
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/hwdata/pnp.ids r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{TELEGRAM_WORK_DIR}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/geany rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/telegram-desktop>
}

272
apparmor.d/groups/apps/thunderbird Normal file
View file

@ -0,0 +1,272 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Useful info:
# http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
#
abi <abi/3.0>,
include <tunables/global>
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{HOME}/.cache/thunderbird
@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin}
@{exec_path} += /{usr/,}bin/thunderbird
profile thunderbird @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/audio>
include <abstractions/enchant>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace peer=@{profile_name},
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
@{exec_path} mrix,
@{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/date rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/which rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dig rix,
# Thunderbird files
/usr/share/thunderbird/{,**} r,
/etc/thunderbird/{,**} r,
# Extensions
@{MOZ_LIBDIR}/extensions/{,**} r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/lightning/{,**} r,
# Thunderbird home files
owner @{MOZ_HOMEDIR}/ rw,
owner "@{MOZ_HOMEDIR}/{Crash Reports,Pending Pings}/" rw,
owner "@{MOZ_HOMEDIR}/Crash Reports/**" rw,
owner @{MOZ_HOMEDIR}/*.*/ rw,
owner @{MOZ_HOMEDIR}/*.*/** rwk,
deny @{MOZ_HOMEDIR}/*.*/pepmda/ rw,
deny @{MOZ_HOMEDIR}/*.*/pepmda/** rwklmx,
owner @{MOZ_HOMEDIR}/profiles.ini rw,
owner @{MOZ_HOMEDIR}/installs.ini rw,
deny @{HOME}/.mozilla/** mrwkl,
# Cache
owner @{HOME}/.cache/ rw,
owner @{MOZ_CACHEDIR}/{,**} rw,
# Needed for system mails
owner /var/mail/* rwk,
owner @{HOME}/ r,
owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
# Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Spellcheck
/{usr/,}bin/locale rix,
# System integration
/etc/mime.types r,
owner @{HOME}/.config/mimeapps.list.* rw,
# KDE system keyring
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/usr/share/xul-ext/kwallet5/* r,
/etc/xul-ext/kwallet5.js r,
owner @{HOME}/.config/kwalletrc r,
# QT5
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny @{sys}/devices/system/cpu/present r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/@{pid}/net/arp r,
deny @{PROC}/@{pid}/net/route r,
# for dig
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# TMP files
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/thunderbird{,_*}/ rw,
owner /tmp/thunderbird{,_*}/* rwk,
owner /tmp/mozilla_*/ rw,
owner /tmp/mozilla_*/* rw,
owner /tmp/MozillaMailnews/ rw,
owner /tmp/MozillaMailnews/*.msf rw,
owner /tmp/Temp-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/ rw,
deny /dev/ r,
/dev/urandom w,
/dev/shm/ r,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
/etc/fstab r,
/etc/mailcap r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
# Silencer
deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Needed for enigmail
/usr/share/xul-ext/enigmail/{,**} r,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg-connect-agent rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpg-connect-agent mr,
/{usr/,}bin/gpgsm mr,
/{usr/,}bin/gpg-agent rix,
owner @{HOME}/.gnupg/ rw,
owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
owner /tmp/nscopy.tmp w,
# For encryption + signature
owner /tmp/gpgOutput.* rw,
# for inline pgp
owner /tmp/encfile rw,
owner /tmp/encfile-[0-9]* rw,
# for signature generation
owner /tmp/nsemail.eml w,
owner /tmp/nsemail-[0-9]*.eml w,
# for signature verifications
owner /tmp/data.sig r,
owner /tmp/data-[0-9]*.sig r,
@{PROC}/@{pid}/fd/ r,
# file_inherit
owner /dev/tty[0-9]* rw,
deny owner @{MOZ_HOMEDIR}/*.*/** rw,
deny owner @{MOZ_CACHEDIR}/** rw,
deny /usr/share/thunderbird/** r,
deny /usr/share/sounds/freedesktop/stereo/*.oga r,
deny owner /tmp/thunderbird{,_*}/* rwk,
deny /dev/shm/org.chromium.* r,
deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
owner /tmp/ns* rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/[0-9]*/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
/{usr/,}bin/qpdfview rPUx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/thunderbird>
}

36
apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash Normal file
View file

@ -0,0 +1,36 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2018 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Author: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {
include <abstractions/base>
include <abstractions/X>
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/passwd r,
/etc/nsswitch.conf r,
/run/nscd/passwd r,
/sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c
/usr/lib{,32,64}/ure/bin/javaldx rmpux,
/usr/share/libreoffice/program/* r,
/usr/lib/libreoffice/program/** r,
/usr/lib/libreoffice/program/soffice.bin rmpx,
/usr/lib/libreoffice/program/javaldx rmpux,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
}

37
apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc Normal file
View file

@ -0,0 +1,37 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2017 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) {
include <abstractions/base>
include <abstractions/user-tmp>
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/sed rmix,
/usr/bin/dirname rmix,
/usr/bin/basename rmix,
/{usr/,}bin/grep rmix,
/{usr/,}bin/uname rmix,
/usr/bin/xdg-open rPUx,
/usr/bin/xdg-email rPUx,
/dev/null rw,
/usr/lib/libreoffice/program/uri-encode rmpux,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
}

271
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin Normal file
View file

@ -0,0 +1,271 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2018 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Jonathan Davies <jonathan.davies@canonical.com>
# Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
# This profile should enable the average LibreOffice user to get their
# work done while blocking some advanced usage
# Namely not tested and likely not working : embedded plugins,
# Using the LibreOffice SDK and other development tasks
# Everything else should be working
#Defines all common supported file formats
#Some obscure ones we're excluded (mostly input)
#Generic
#.txt
@{libreoffice_ext} = [tT][xX][tT]
#All the open document format
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
#.xml and xsl
@{libreoffice_ext} += [xX][mMsS][lL]
#.pdf
@{libreoffice_ext} += [pP][dD][fF]
#Unified office format
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
#(x)htm(l)
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
#.epub
@{libreoffice_ext} += [eE][pP][uU][bB]
#.ps (printing to file)
@{libreoffice_ext} += [pP][sS]
#Images
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
#Writer
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
#Calc
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
#.dif dbf
@{libreoffice_ext} += [dD][iIbB][fF]
#.tsv .csv
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]
#Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
#Photoshop
@{libreoffice_ext} += [pP][sS][dD]
#Math
@{libreoffice_ext} += [mM][mM][lL]
@{libo_user_dirs} = @{HOME} /mnt /media
include <tunables/global>
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
include <abstractions/private-files>
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/gnome>
# GnuPG1 only...
# include <abstractions/gnupg>
include <abstractions/python>
include <abstractions/p11-kit>
include <abstractions/user-tmp>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
#List directories for file browser
/ r,
/**/ r,
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
# Settings
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/cups/ppd/*.ppd r,
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
/proc/*/status r,
owner @{HOME}/.config/libreoffice{,dev}/** rwk,
owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.lock rwk,
owner @{HOME}/.cache/fontconfig/** rw,
owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
# bluetooth send to
network bluetooth,
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file)
/usr/bin/bluetooth-sendto rmPUx,
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
/usr/bin/gpgconf rmix,
/usr/bin/gpg rmCx -> gpg,
/usr/bin/gpgsm rmCx -> gpg,
/usr/bin/gpa rix,
/usr/bin/seahorse rix,
/usr/bin/kgpg rix,
/usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
owner @{HOME}/.cache/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
/usr/lib{,32,64}/jvm/ r,
/usr/lib{,32,64}/jvm/** r,
/usr/lib{,32,64}/jvm/**/jre/bin/java mix,
/usr/lib{,32,64}/jvm/**/bin/java mix,
# should be included in the jvm/** above but there it is
# a symlink, so apparmor still doesn't allow it...
/etc/java-??-openjdk/security/java.security r,
/usr/lib/libreoffice/** rw,
/usr/lib/libreoffice/**.so m,
/usr/lib/libreoffice/program/soffice.bin mix,
/usr/lib/libreoffice/program/xpdfimport px,
/usr/lib/libreoffice/program/senddoc px,
/usr/bin/xdg-open rPUx,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,
/usr/share/hunspell/** r,
/usr/share/hyphen/ r,
/usr/share/hyphen/** r,
/usr/share/mythes/ r,
/usr/share/mythes/** r,
/usr/share/liblangtag/ r,
/usr/share/liblangtag/** r,
/usr/share/libreoffice/ r,
/usr/share/libreoffice/** r,
/usr/share/yelp-xsl/xslt/mallard/** r,
/usr/share/libexttextcat/* r,
/usr/share/icu/** r,
/usr/share/locale-bundle/* r,
/var/spool/libreoffice/ r,
/var/spool/libreoffice/** rw,
/var/cache/fontconfig/ rw,
#Likely moving to abstractions in the future
owner @{HOME}/.icons/*/cursors/* r,
/etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
/usr/share/*-fonts/conf.avail/*.conf r,
/usr/share/fonts-config/conf.avail/*.conf r,
/{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
/{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
@{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
#To avoid "Unable to create io-slave." for file dialog
owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
#For KIO IO::Slave::createSlave()
owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/secmod.db r,
# firefox < 58
owner @{HOME}/.mozilla/firefox/*/cert8.db r,
# firefox >= 58
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
owner @{HOME}/.local/share/user-places.xbel r,
# there is abstractions/gnupg but that's just for gpg1...
profile gpg flags=(complain) {
include <abstractions/base>
/usr/bin/gpgconf rm,
/usr/bin/gpg rm,
/usr/bin/gpgsm rm,
owner @{HOME}/.gnupg/* r,
owner @{HOME}/.gnupg/random_seed rk,
}
# probably should become a subprofile like gpg above, but then it doesn't
# work either as it tries to access stuff only allowed above...
owner @{HOME}/.config/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
/usr/share/plasma/look-and-feel/**/contents/defaults r,
# TODO: remove when rules are available in abstractions/kde
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # user by KFileWidget
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
# TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
/usr/share/kservices5/*.protocol r,
# TODO: use qt5-settings-write abstraction when it is available
owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{HOME}/.config/QtProject.conf rw,
owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.lock rwk,
# TODO: use qt5-compose-cache-write abstraction when it is available
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
# TODO: use recent-documents-write abstraction when it is available
owner @{HOME}/.local/share/RecentDocuments/** r,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# TODO: use kde-globals-write abstraction when it is available
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
}

31
apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport Normal file
View file

@ -0,0 +1,31 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2017 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
# Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------
include <tunables/global>
profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) {
include <abstractions/base>
include <abstractions/user-tmp>
/usr/share/poppler/** r,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
/usr/lib/libreoffice/program/xpdfimport pxm,
#Uncomment for build testing (should be one directory <- of instdir)
#/mnt/store/git/libo/** r,
}

171
apparmor.d/groups/apps/vlc Normal file
View file

@ -0,0 +1,171 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{vlc_ext} = [aA]{52,[aA][cC],[cC]3}
@{vlc_ext} += [mM][kK][aA]
@{vlc_ext} += [fF][lL][aA][cC]
@{vlc_ext} += [mM][pP][123cC]
@{vlc_ext} += [oO][gGmM][aA]
@{vlc_ext} += [wW]{,[aA]}[vV]
@{vlc_ext} += [wW][mM]{,[aA]}
@{vlc_ext} += 3[gG]{[2pP],[pP][2pP]}
@{vlc_ext} += [aA][sS][fF]
@{vlc_ext} += [aA][vV][iI]
@{vlc_ext} += [dD][iI][vV][xX]
@{vlc_ext} += [mM][124][vV]
@{vlc_ext} += [mM][kKoO][vV]
@{vlc_ext} += [mM][pP][4aAeEgG]
@{vlc_ext} += [mM][pP][eE][gG]{,[124]}
@{vlc_ext} += [oO][gG][gGmMxXvV]
@{vlc_ext} += [rR][mM]{,[vV][bB]}
@{vlc_ext} += [wW][eE][bB][mM]
@{vlc_ext} += [wW][mMtT][vV]
@{vlc_ext} += [mM][pP]2[tT]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{vlc_ext} += [bB][mM][pP]
@{vlc_ext} += [jJ][pP]{,[eE]}[gG]
@{vlc_ext} += [pP][nN][gG]
@{vlc_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{vlc_ext} += [sS][rR][tT]
@{vlc_ext} += [tT][xX][tT]
@{vlc_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{vlc_ext} += [mM]3[uU]{,8}
@{vlc_ext} += [pP][lL][sS]
@{exec_path} = /{usr/,}bin/{c,}vlc
profile vlc @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nvidia>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict>
include <abstractions/ssl_certs>
include <abstractions/devices-usb>
include <abstractions/deny-root-dir-access>
signal (receive) set=(term, kill) peer=anyremote//*,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mrix,
# Which media files VLC should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
/media/ r,
owner /media/**/ r,
owner /{home,media}/**.@{vlc_ext} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# VLC files
/usr/share/vlc/{,**} r,
# VLC config files
owner @{HOME}/ r,
owner @{HOME}/.config/vlc/ rw,
owner @{HOME}/.config/vlc/* rwkl -> @{HOME}/.config/vlc/#[0-9]*[0-9],
owner @{HOME}/.local/share/vlc/{,*} rw,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/vlc/{,**} rw,
owner @{HOME}/.cache/#[0-9]*[0-9] rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{HOME}/.config/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/net/if_inet6 r,
deny @{PROC}/sys/kernel/random/boot_id r,
# Udev enumeration
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{run}/udev/data/b254:[0-9]* r, # for /dev/zram*
@{run}/udev/data/b253:[0-9]* r, # for /dev/dm*
@{run}/udev/data/b8:[0-9]* r, # for /dev/sd*
@{run}/udev/data/b7:[0-9]* r, # for /dev/loop*
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
# Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
# Silencer
deny /{usr/,}lib/@{multiarch}/vlc/{,**} w,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
profile xdg-screensaver {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/xdg-screensaver mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xset rix,
/{usr/,}bin/xautolock rix,
/{usr/,}bin/dbus-send rix,
owner @{HOME}/.Xauthority r,
# file_inherit
/dev/dri/card[0-9]* rw,
network inet stream,
network inet6 stream,
}
include if exists <local/vlc>
}

177
apparmor.d/groups/apt/apt Normal file
View file

@ -0,0 +1,177 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt
profile apt @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
profile editor flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt>
}

31
apparmor.d/groups/apt/apt-cache Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/apt-cache>
}

87
apparmor.d/groups/apt/apt-cdrom Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
# Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms
/media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r,
/media/cdrom[0-9]/.disk/info r,
/media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r,
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
/media/*/*/ r,
/media/*/*/**/ r,
/media/*/*/.disk/info r,
/media/*/*/dists/**/binary-*/Packages{,.gz} r,
/media/*/*/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/apt/cdroms.list{,.new} rw,
/var/lib/apt/cdroms.list~ w,
/etc/apt/sources.list{,.new} rw,
/etc/apt/sources.list~ w,
profile mount flags=(complain) {
include <abstractions/base>
/{usr/,}bin/mount mr,
/etc/fstab r,
/media/cdrom[0-9]/ r,
}
profile umount flags=(complain) {
include <abstractions/base>
capability sys_admin,
/{usr/,}bin/umount mr,
@{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk,
owner @{PROC}/@{pid}/mountinfo r,
umount /media/*/,
umount /media/*/*/,
}
include if exists <local/apt-cdrom>
}

22
apparmor.d/groups/apt/apt-config Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config>
}

32
apparmor.d/groups/apt/apt-extracttemplates Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-extracttemplates
profile apt-extracttemplates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-extracttemplates>
}

37
apparmor.d/groups/apt/apt-file Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-file
profile apt-file @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/fgrep rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/xargs rix,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt rPx,
/etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,
include if exists <local/apt-file>
}

24
apparmor.d/groups/apt/apt-ftparchive Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-ftparchive
profile apt-ftparchive @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-ftparchive>
}

183
apparmor.d/groups/apt/apt-get Normal file
View file

@ -0,0 +1,183 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-get
profile apt-get @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For building the source after the download process is finished (apt-get source --compile)
# (#FIXME#)
/{usr/,}bin/dpkg-buildpackage rPUx,
# For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt-get>
}

103
apparmor.d/groups/apt/apt-key Normal file
View file

@ -0,0 +1,103 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-key
profile apt-key @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-config rPx,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/{,**} rw,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw,
/etc/apt/trusted.gpg.lock rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/ r,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/*.gpg r,
/etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
}
include if exists <local/apt-key>
}

58
apparmor.d/groups/apt/apt-listbugs Normal file
View file

@ -0,0 +1,58 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listbugs
profile apt-listbugs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
#capability sys_tty_config,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/listbugs/{,*} r,
@{PROC}/@{pid}/loginuid r,
# The following is needed when apt-listbugs uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
include if exists <local/apt-listbugs>
}

19
apparmor.d/groups/apt/apt-listbugs-aptcleanup Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
include if exists <local/apt-listbugs-aptcleanup>
}

28
apparmor.d/groups/apt/apt-listbugs-migratepins Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/preferences r,
owner /tmp/pin_migration_*-@{pid}-*/ w,
owner /tmp/pin_migration_*-@{pid}-*/preferences w,
owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w,
include if exists <local/apt-listbugs-migratepins>
}

29
apparmor.d/groups/apt/apt-listbugs-prefclean Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/ r,
owner /var/spool/apt-listbugs/lastprefclean rw,
include if exists <local/apt-listbugs-prefclean>
}

101
apparmor.d/groups/apt/apt-listchanges Normal file
View file

@ -0,0 +1,101 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listchanges
profile apt-listchanges @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/sensible-pager rCx -> pager,
# Send results using email
/{usr/,}sbin/exim4 rPx,
/usr/share/apt-listchanges/{,**} r,
/etc/apt/listchanges.conf r,
/etc/apt/listchanges.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/status r,
/var/lib/apt/listchanges{,-new}.db rw,
/var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db,
/var/cache/apt/archives/ r,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/apt-listchanges*/ rw,
owner /tmp/apt-listchanges*/**/ rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
# The following is needed when apt-listchanges uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
#capability sys_tty_config,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
# For shell pwd
/root/ r,
/tmp/ r,
owner /tmp/apt-listchanges-tmp*.txt r,
}
include if exists <local/apt-listchanges>
}

26
apparmor.d/groups/apt/apt-mark Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark
profile apt-mark @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/var/lib/apt/extended_states{,.*} rw,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
include if exists <local/apt-mark>
}

46
apparmor.d/groups/apt/apt-methods-cdrom Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-cdrom>
}

57
apparmor.d/groups/apt/apt-methods-copy Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/copy
profile apt-methods-copy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-copy>
}

57
apparmor.d/groups/apt/apt-methods-file Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-file>
}

46
apparmor.d/groups/apt/apt-methods-ftp Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-ftp>
}

89
apparmor.d/groups/apt/apt-methods-gpgv Normal file
View file

@ -0,0 +1,89 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix,
/{usr/,}bin/dpkg rix,
/{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/arch r,
@{PROC}/@{pid}/fd/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-gpgv>
}

77
apparmor.d/groups/apt/apt-methods-http Normal file
View file

@ -0,0 +1,77 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/auth.conf.d/{,*} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw,
@{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-http>
}

46
apparmor.d/groups/apt/apt-methods-mirror Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-mirror>
}

57
apparmor.d/groups/apt/apt-methods-rred Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/rred
profile apt-methods-rred @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-rred>
}

46
apparmor.d/groups/apt/apt-methods-rsh Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-rsh>
}

62
apparmor.d/groups/apt/apt-methods-store Normal file
View file

@ -0,0 +1,62 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/store
profile apt-methods-store @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/doc/*/changelog.* r,
/tmp/ r,
owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-methods-store>
}

37
apparmor.d/groups/apt/apt-show-versions Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/apt-common>
@{exec_path} r,
/{usr/,}bin/perl r,
/usr/bin/dpkg rPx -> child-dpkg,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-show-versions>
}

22
apparmor.d/groups/apt/apt-sortpkgs Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-sortpkgs
profile apt-sortpkgs @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
include if exists <local/apt-sortpkgs>
}

67
apparmor.d/groups/apt/apt-systemd-daily Normal file
View file

@ -0,0 +1,67 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
# Needed to remove the following error:
# apt.systemd.daily[]: find: /var/cache/apt/archives/partial: Permission denied
capability dac_read_search,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/which rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/etc/default/locale r,
# The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed.
#/daily_lock w,
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/lib/apt/periodic/autoclean-stamp w,
/var/backups/ r,
/var/backups/apt.extended_states rw,
/var/backups/apt.extended_states.[0-9]* rw,
/var/backups/apt.extended_states.[0-9]*.gz w,
/var/cache/apt/ r,
/var/cache/apt/archives/ r,
/var/cache/apt/archives/partial/ r,
/var/cache/apt/archives/*.deb rw,
/var/cache/apt/backup/ r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-systemd-daily>
}

193
apparmor.d/groups/apt/aptitude Normal file
View file

@ -0,0 +1,193 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
capability sys_chroot,
audit deny capability net_admin,
#capability sys_tty_config,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
/var/log/aptitude w,
# For downloading the source of packages (showsrc/source options)
/{usr/,}bin/apt rPx,
# For changelogs
owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/aptitude/ rw,
owner @{HOME}/.cache/aptitude/metadata-download{,-journal} rw,
owner @{HOME}/.cache/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> pager,
# For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r,
owner /tmp/aptitudebug.*/** rwk,
/var/lib/apt-xapian-index/index r,
/var/cache/apt-xapian-index/index.[0-9]/*.glass r,
/var/cache/apt-xapian-index/index.[0-9]/iamglass r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/aptitude-*.@{pid}:*/ rw,
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
/tmp/aptitude-*.@{pid}:*/pkgstates* r,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the interactive mode
/usr/share/tasksel/descs/ r,
/usr/share/tasksel/descs/debian-tasks.desc r,
owner @{HOME}/.aptitude/ rw,
owner @{HOME}/.aptitude/config rw,
owner @{HOME}/.aptitude/config@{pid} rw,
/tmp/apt-changelog-*/ rw,
/var/lib/debtags/vocabulary r,
/{usr/,}bin/su rPx,
@{run}/lock/aptitude rwk,
/usr/share/aptitude/ r,
/usr/share/aptitude/* r,
/var/lib/aptitude/pkgstates{,.old,.new} rw,
/var/lib/aptitude/pkgstates.old rwl -> /var/lib/aptitude/pkgstates,
/var/lib/debtags/package-tags r,
# When run in a TTY, to remove the following error:
# aptitude[]: *** err
# aptitude[]: /dev/tty2: Permission denied
# aptitude[]: *** err
# aptitude[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
/var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
# For shell pwd
/root/ r,
}
include if exists <local/aptitude>
}

22
apparmor.d/groups/apt/aptitude-changelog-parser Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/**/debian/changelog r,
include if exists <local/aptitude-changelog-parser>
}

33
apparmor.d/groups/apt/aptitude-create-state-bundle Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
# Files included in the bundle
owner @{HOME}/.aptitude/{,*} r,
/var/lib/aptitude/{,*} r,
/var/lib/apt/{,**} r,
/var/cache/apt/ r,
/var/cache/apt/*.bin r,
/etc/apt/{,**} r,
/var/lib/dpkg/status r,
include if exists <local/aptitude-create-state-bundle>
}

29
apparmor.d/groups/apt/aptitude-run-state-bundle Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw,
include if exists <local/aptitude-run-state-bundle>
}

39
apparmor.d/groups/apt/child-dpkg Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-dpkg" exec transitions from
# other profiles. We want to confine the dpkg(1) utility when it
# is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg by default
profile child-dpkg {
include <abstractions/base>
include <abstractions/consoles>
# Needed?
deny capability setgid,
/{usr/,}bin/dpkg mr,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/var/lib/dpkg/** r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/child-dpkg>
}

32
apparmor.d/groups/apt/child-dpkg-divert Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-dpkg-divert" exec transitions
# from other profiles. We want to confine the dpkg-divert(1) utility when
# it is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg-divert by default
profile child-dpkg-divert {
include <abstractions/base>
/{usr/,}bin/dpkg-divert mr,
/var/lib/dpkg/arch r,
/var/lib/dpkg/status r,
/var/lib/dpkg/updates/ r,
/var/lib/dpkg/triggers/File r,
/var/lib/dpkg/triggers/Unincorp r,
/var/lib/dpkg/diversions r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/child-dpkg-divert>
}

51
apparmor.d/groups/apt/debconf-apt-progress Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-apt-progress
profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/apt-get rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/debconf-apt-progress rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
/etc/shadow r,
}
include if exists <local/debconf-apt-progress>
}

Some files were not shown because too many files have changed in this diff Show more