From 177d27d94cff5a6e3591b120807e1fb95632a2db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 22:37:17 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 4 ++ apparmor.d/groups/freedesktop/plymouthd | 6 +- apparmor.d/groups/freedesktop/xorg | 10 +++ apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-control-center | 65 +++---------------- apparmor.d/groups/gnome/gnome-keyring-daemon | 5 ++ apparmor.d/groups/gnome/gsd-color | 6 +- apparmor.d/groups/gnome/gsd-power | 5 +- .../groups/gnome/gsd-print-notifications | 3 + apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/gvfs/gvfsd-dnssd | 5 ++ .../groups/ubuntu/software-properties-dbus | 19 +++++- .../groups/ubuntu/software-properties-gtk | 27 +++++++- apparmor.d/profiles-a-f/boltd | 4 +- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/needrestart | 4 +- apparmor.d/profiles-m-r/power-profiles-daemon | 6 +- apparmor.d/profiles-s-z/system-config-printer | 3 +- 19 files changed, 106 insertions(+), 73 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index da7c5a33a..444e83c85 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.{DBus.Properties,ColorManager}, + interface=org.freedesktop.{DBus.Properties,ColorManager*}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 0fbe6c051..378710753 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -53,6 +53,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.NetworkManager member={CheckPermissions,StateChanged,PropertiesChanged}, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus bind bus=system name=org.freedesktop.GeoClue2, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 78e16dddf..2cab93185 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -32,13 +32,13 @@ profile plymouthd @{exec_path} { @{run}/udev/data/+drm:* r, @{run}/udev/data/c226:* r, + @{run}/udev/data/c29:* r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r, - @{sys}/devices/pci[0-9]*/**/drm/renderD128/uevent r, + @{sys}/class/graphics/ r, + @{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index ab5783ba2..090e2ee81 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -13,6 +13,7 @@ include @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -40,6 +41,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} + interface=org.freedesktop.{DBus.Properties,login1.Session} + member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.login1.Session + member=PauseDevice, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 5247d4073..548b699f8 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=CreateSession, + member={CreateSession,ReleaseSession}, @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1efb46496..c6c3ef91d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,9 +10,8 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include @@ -35,54 +34,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, - dbus send bus=system path=/org/freedesktop{,ModemManager[0-9],UDisks2} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus send bus=system path=/net/reactivated/Fprint/Manager - interface=net.reactivated.Fprint.Manager - member=GetDevices, - - dbus send bus=system path=/net/reactivated/Fprint/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, - - dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={ListCachedUsers,FindUserById}, - - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/hostname[0-9] - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetPermissions, - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, - - dbus send bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.DBus.Properties - member={GetAll,Get}, - @{exec_path} mr, /{usr/,}bin/{,b,d,rb}ash rUx, @@ -101,7 +52,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, - /snap/*/[0-9]*/*.png r, + /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, @@ -109,12 +60,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, + /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, - /usr/share/ubuntu/applications/ r, + /usr/share/ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -135,9 +87,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -145,10 +99,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, - @{run}/systemd/users/@{uid} r, + @{run}/cups/cups.sock rw, + @{run}/samba/ rw, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, - @{run}/cups/cups.sock rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0c245569c..85b6e24bd 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,6 +19,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=GetSession diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index e2d9852b5..3f14d3eaf 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,10 +18,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus (send, receive) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager, + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} + interface=org.freedesktop.ColorManager*, - dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 6a09314b2..557146a9b 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -92,8 +92,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/cgroup r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 2cf185641..cf9a4654e 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,6 +31,9 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew}, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 8191ba33f..ce6051e18 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -27,6 +27,7 @@ profile tracker-miner @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, /usr/share/ubuntu/applications/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index c7e81148c..e66598258 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -18,6 +18,11 @@ profile gvfsd-dnssd @{exec_path} { interface=org.freedesktop.Avahi.Server member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow}, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index dd5422139..0bea79d98 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -10,9 +10,23 @@ include profile software-properties-dbus @{exec_path} { include include - include - include include + include + include + include + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, dbus bind bus=system name=com.ubuntu.SoftwareProperties, @@ -31,6 +45,7 @@ profile software-properties-dbus @{exec_path} { owner /tmp/tmp*/{,apt.conf} rw, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 1f0d4603f..f5e7e6d94 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,8 +16,22 @@ profile software-properties-gtk @{exec_path} { include include + dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager} + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + @{exec_path} mr, + /{usr/,}bin/ r, + /{usr/,}bin/aplay rPx, /{usr/,}bin/apt-key rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -25,25 +39,36 @@ profile software-properties-gtk @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/ubuntu-advantage rPx, + /usr/share/distro-info/*.csv r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/gtk-3.0/settings.ini r, /etc/machine-id r, /etc/update-manager/release-upgrades r, + /var/lib/snapd/desktop/icons/ r, + + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + owner /tmp/[a-z0-9]* rw, + owner /tmp/tmp*/{,apt.conf} rw, + @{sys}/devices/ r, @{sys}/devices/**/ r, @{sys}/devices/**/modalias r, + @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index a98cdfa74..e46ecbe3b 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{libexec}/boltd -profile boltd @{exec_path} { +profile boltd @{exec_path} flags=(attach_disconnected) { include + include include capability net_admin, @@ -21,6 +22,7 @@ profile boltd @{exec_path} { owner @{run}/boltd/{,**} rw, + @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 3e298ef3a..d771789d4 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -32,7 +32,7 @@ profile hugo @{exec_path} { owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner @{user_projects_dirs}/**/go.{mod,sum} rwk, - owner /tmp/hugo_cache/{,**} rwk, + owner /tmp/hugo_cache/{,**} rwkl, owner /tmp/go-codehost-[0-9]* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 6e0aeef58..02f53ffae 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -28,6 +28,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/fail2ban-server rPx, /{usr/,}bin/locale rix, /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/sed rix, /{usr/,}bin/stty rix, /{usr/,}bin/systemctl rPx, /{usr/,}bin/systemd-detect-virt rPx, @@ -37,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/needrestart/iucode-scan-versions rPx, /usr/share/debconf/frontend rix, + /{usr/,}bin/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -48,8 +50,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/cgroup r, @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index c9d803bab..3ec186658 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -25,9 +25,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=RequestName, + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties - member=GetAll, + member={GetAll,Set}, dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index bbcb943ee..b9c388c46 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -60,7 +60,8 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-* rw, @{run}/cups/cups.sock rw, owner /tmp/* rw,