diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 6cd603a4f..ab5e6ab96 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -9,12 +9,15 @@ # Allow to receive some signals signal (receive) peer=top, signal (receive) peer=htop, + signal (receive) set=(term,cont) peer=systemd, signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=su, signal (receive) peer=sudo, + ptrace (readby) peer=systemd-coredump, + # Allow to write a user defined fifo log devices owner /dev/log-xsession w, owner /dev/log-gnupg w, diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index 243f1e875..9b6a9c709 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -18,6 +18,8 @@ profile accounts-daemon @{exec_path} { capability sys_ptrace, deny capability sys_nice, + ptrace (read) peer=unconfined, + @{exec_path} mr, owner /var/lib/AccountsService/ r, diff --git a/apparmor.d/groups/glib/glib-compile-schemas b/apparmor.d/groups/glib/glib-compile-schemas index 3e5ad79ad..3af156984 100644 --- a/apparmor.d/groups/glib/glib-compile-schemas +++ b/apparmor.d/groups/glib/glib-compile-schemas @@ -10,6 +10,9 @@ include profile glib-compile-schemas @{exec_path} { include + network inet stream, + network inet6 stream, + @{exec_path} mr, /usr/share/glib-2.0/schemas/{,*} r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 327b5e4e9..3f6fc87ee 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -24,11 +24,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_tty_config, - signal (send) set=hup peer=gsd-*, + signal (receive) set=term peer=gdm, + signal (send) set=hup peer=dbus-daemon, + signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, + signal (send) set=hup peer=gsd-*, + signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=xwayland, signal (send) set=term peer=gdm-wayland-session, - signal (receive) set=term peer=gdm, network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index cc79f2f3b..3145afb50 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -13,8 +13,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include signal (send) set=(term) peer=gsd-*, + signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term) peer=gdm-wayland-session, - signal (receive) set=(term) peer=gdm, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 8a17cc7dc..5064f11d3 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 161714eb1..98d48db48 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -12,7 +12,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 388c5c51b..803689387 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 0d8b6a817..dce09a263 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 172e2ddf7..4fef0886a 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -12,7 +12,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 65b19e788..2c01197c3 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -13,7 +13,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f8bb145e5..a52e8a2ed 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -15,7 +15,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 1870a2f82..e47020be3 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -14,7 +14,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 7c338f36d..9ca5f5b54 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -10,7 +10,7 @@ include profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index c7b413f69..25493729a 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -10,7 +10,7 @@ include profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 730783ea3..bb916f383 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -10,7 +10,7 @@ include profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 02dd10ffc..3c6d43f0c 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -10,7 +10,7 @@ include profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 78ac9b2e1..f1e4ff007 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 27ced6d9c..4f27eaea6 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,7 +10,7 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index c920c3dd6..8ea114e80 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -13,7 +13,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm, + signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 9efd8a648..9d75446cf 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -28,6 +28,8 @@ profile tracker-extract @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, + owner @{PROC}/@{pid}/fd/ r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 50fe02395..f380db017 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -13,6 +13,9 @@ profile pacdiff @{exec_path} { capability dac_read_search, capability mknod, + network inet stream, + network inet6 stream, + @{exec_path} mr, /{usr/,}bin/pacman-conf rPx, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 8292d42e8..10f5fea51 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -9,7 +9,10 @@ include @{exec_path} = /{usr/,}bin/pacman-conf profile pacman-conf @{exec_path} flags=(attach_disconnected) { include - + + network inet stream, + network inet6 stream, + @{exec_path} mr, /etc/pacman.conf r, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 773e71fcf..7d3c078b5 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -18,8 +18,8 @@ profile child-systemctl { include include - capability sys_ptrace, capability net_admin, + capability sys_ptrace, ptrace (read), diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 4dbc8e33d..62a2f73cd 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -27,7 +27,7 @@ profile systemd-machined @{exec_path} flags=(complain) { /etc/machine-id r, - @{run}/systemd/machines/{,**} r, + @{run}/systemd/machines/{,**} rw, @{run}/systemd/userdb/io.systemd.Machine rw, include if exists diff --git a/apparmor.d/profiles-a-l/adb b/apparmor.d/profiles-a-l/adb index d87f53dd8..a00b3a40e 100644 --- a/apparmor.d/profiles-a-l/adb +++ b/apparmor.d/profiles-a-l/adb @@ -21,6 +21,8 @@ profile adb @{exec_path} { @{exec_path} mrix, + /usr/share/scrcpy/scrcpy-server r, + owner /tmp/adb.[0-9]*.log rw, owner @{HOME}/.android/ rw, diff --git a/apparmor.d/profiles-m-z/polkitd b/apparmor.d/profiles-m-z/polkitd index 48f98cfa8..a0d1cb67e 100644 --- a/apparmor.d/profiles-m-z/polkitd +++ b/apparmor.d/profiles-m-z/polkitd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,14 +12,13 @@ profile polkitd @{exec_path} { include include - # Tu run as polkitd:nogroup capability setuid, capability setgid, - - # Needed? capability sys_ptrace, audit deny capability net_admin, + ptrace (read) peer=unconfined, + @{exec_path} mr, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-z/rtkit-daemon b/apparmor.d/profiles-m-z/rtkit-daemon index 31347b7e7..7ae686bfc 100644 --- a/apparmor.d/profiles-m-z/rtkit-daemon +++ b/apparmor.d/profiles-m-z/rtkit-daemon @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,19 +13,12 @@ profile rtkit-daemon @{exec_path} { include include - # To raise process nice and set scheduling policies (real-time) and priorities - capability sys_nice, - - # To chroot /proc/ - capability sys_chroot, - - # To run daemon as rtkit:rtkit + capability dac_read_search, capability setgid, capability setuid, - - # The two are visible in systemd service, but it doesn't seem they're needed - #capability dac_read_search, - #capability sys_ptrace, + capability sys_chroot, + capability sys_nice, + capability sys_ptrace, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-z/udisksctl b/apparmor.d/profiles-m-z/udisksctl index 0bc1922c5..58fca3ce9 100644 --- a/apparmor.d/profiles-m-z/udisksctl +++ b/apparmor.d/profiles-m-z/udisksctl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,5 +13,13 @@ profile udisksctl @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index 14443c73c..af9a9539b 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -23,6 +23,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { # Error mounting /dev/sd* at /media/*/*: Operation not permitted. capability sys_admin, + capability chown, capability dac_read_search, capability dac_override, diff --git a/apparmor.d/profiles-m-z/xdg-open b/apparmor.d/profiles-m-z/xdg-open index 7a4324f9a..fedcf6b9d 100644 --- a/apparmor.d/profiles-m-z/xdg-open +++ b/apparmor.d/profiles-m-z/xdg-open @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/xdg-open -profile xdg-open @{exec_path} { +profile xdg-open @{exec_path} flags=(attach_disconnected) { include include include