From 0b66933b45aa1fb266b1dd9e831fc7316abbda46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 9 May 2022 21:51:18 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 5 ++++- apparmor.d/groups/apt/apt-systemd-daily | 1 + apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/browsers/firefox-pingsender | 4 +++- apparmor.d/groups/bus/ibus-engine-simple | 1 + apparmor.d/groups/bus/ibus-extension-gtk3 | 1 + apparmor.d/groups/bus/ibus-portal | 2 ++ apparmor.d/groups/bus/ibus-x11 | 1 + apparmor.d/groups/freedesktop/fc-list | 3 ++- apparmor.d/groups/freedesktop/xrdb | 5 ++++- apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/groups/gnome/gjs-console | 1 + apparmor.d/groups/gnome/gnome-calendar | 1 + apparmor.d/groups/gnome/gnome-control-center | 4 ++-- .../gnome/gnome-control-center-print-renderer | 1 + apparmor.d/groups/gnome/gnome-music | 2 -- apparmor.d/profiles-a-f/appstreamcli | 4 ++-- apparmor.d/profiles-a-f/child-pager | 13 +++++-------- apparmor.d/profiles-g-l/irqbalance | 1 + apparmor.d/profiles-m-r/mono-sgen | 1 - apparmor.d/profiles-m-r/pkcs11-register | 4 ++-- apparmor.d/profiles-s-z/wireplumber | 2 +- 22 files changed, 37 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 067a238ee..5ee666915 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -30,8 +30,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/test rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, /{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/localepurge rPx, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 2d9a2afed..a60e4603e 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -27,6 +27,7 @@ profile apt-systemd-daily @{exec_path} { /{usr/,}bin/flock rix, /{usr/,}bin/grep rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/ls rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/savelog rix, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 6fe7210b1..177a69bd1 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -118,6 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 7804b110b..95cb15363 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -20,7 +20,9 @@ profile firefox-pingsender @{exec_path} { owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw, - # file_inherit + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 3340a8a88..390259572 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -15,6 +15,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 8685c80ea..23f435578 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -32,6 +32,7 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 3d6d6d57f..ba4528126 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -20,6 +20,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /usr/share/locale/locale.alias r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index acb769712..b36b22cf5 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -20,6 +20,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 2a7d03aef..b9a49e683 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,7 +13,7 @@ profile fc-list @{exec_path} { include include - /{usr/,}bin/fc-list mr, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 28751b5c2..4db269649 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -32,6 +33,8 @@ profile xrdb @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 8cec4f89a..e535c2dfe 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -25,6 +25,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xkbcomp rPx, /usr/share/egl/{,**} r, + /usr/share/fonts/X11/{,**} r, /usr/share/X11/xkb/rules/evdev r, owner /tmp/server-[0-9]*.xkm rwk, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 515e1acbd..7af35a3d1 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 01270d590..0490d7559 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -11,6 +11,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4104f53e3..9d2f42455 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -40,8 +40,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/locale rix, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, - /{usr/,}lib/gnome-control-center-goa-helper rPx, - /{usr/,}lib/gnome-control-center-print-renderer rPx, + @{libexec}/gnome-control-center-goa-helper rPx, + @{libexec}/gnome-control-center-print-renderer rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/backgrounds/gnome/* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 9aafa1c72..4da0a80b3 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -15,6 +15,7 @@ profile gnome-control-center-print-renderer @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 5184c0798..2d291652f 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -56,7 +56,5 @@ profile gnome-music @{exec_path} { owner @{PROC}/@{pid}/mounts r, - /dev/shm/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 29c4937ad..8d609ba33 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -36,9 +36,9 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, - /var/lib/app-info/yaml/*_Components-*.yml.gz w, + /var/lib/app-info/yaml/*.yml.gz w, /var/lib/apt/lists/ r, - /var/lib/apt/lists/*_Components-*.gz r, + /var/lib/apt/lists/*.gz r, /var/lib/flatpak/appstream/{,**} r, /var/lib/swcatalog/ rw, /var/lib/swcatalog/icons/{,**} rw, diff --git a/apparmor.d/profiles-a-f/child-pager b/apparmor.d/profiles-a-f/child-pager index 0a883be77..7249cbbf1 100644 --- a/apparmor.d/profiles-a-f/child-pager +++ b/apparmor.d/profiles-a-f/child-pager @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -28,14 +28,11 @@ profile child-pager { /{usr/,}bin/less mr, /{usr/,}bin/more mr, - @{user_cache_dirs}/lesshs* rw, - owner /root/.lesshs* rw, - - # Display properly on different host terminals @{system_share_dirs}/terminfo/{,**} r, - # For shell pwd - /root/ r, + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{user_cache_dirs}/lesshs* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index f0b1316eb..2e60584eb 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -27,6 +27,7 @@ profile irqbalance @{exec_path} { @{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r, @{PROC}/interrupts r, + @{PROC}/irq/[0-9]*/node r, @{PROC}/irq/[0-9]*/smp_affinity rw, include if exists diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 7b9b433a6..035286b2b 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -42,7 +42,6 @@ profile mono-sgen @{exec_path} { owner /tmp/*.* rw, owner /tmp/CASESENSITIVETEST* rw, owner /dev/shm/mono.* rw, - /dev/shm/ r, @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 9f9a510b8..c72e1b6bd 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -14,10 +14,10 @@ profile pkcs11-register @{exec_path} { /etc/opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt r, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, - owner @{HOME}/.thunderbird/*/pkcs11.txt r, + owner @{HOME}/.thunderbird/*/pkcs11.txt rw, owner @{HOME}/.thunderbird/profiles.ini r, include if exists diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index e44f20932..75eec8ad8 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -26,7 +26,7 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, - /var/lib/gdm/.local/state/wireplumber/{,**} r, + /var/lib/gdm/.local/state/wireplumber/{,**} rw, owner @{HOME}/.local/state/ w, owner @{HOME}/.local/state/wireplumber/{,**} rw,