From 21e8456383c03ade4229888775a576216785da1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 1 Oct 2024 17:29:49 +0100 Subject: [PATCH] feat(abs): general improvment. --- apparmor.d/abstractions/app-open | 4 +- apparmor.d/abstractions/app/kmod | 8 +++- apparmor.d/abstractions/app/sudo | 1 - apparmor.d/abstractions/base.d/complete | 2 - apparmor.d/abstractions/common/electron | 3 ++ apparmor.d/abstractions/common/gnome | 1 + apparmor.d/abstractions/deny-sensitive-home | 52 +++++++++++++-------- apparmor.d/abstractions/mesa.d/complete | 4 ++ apparmor.d/abstractions/python.d/complete | 11 +++-- 9 files changed, 56 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c47c7ca69..70f89d866 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -11,8 +11,8 @@ # Sandbox managers @{bin}/bwrap rPUx, @{bin}/firejail rPUx, - @{bin}/flatpak rPUx, - @{bin}/snap rPUx, + @{bin}/flatpak rPx, + @{bin}/snap rPx, # Labeled programs @{archive_viewers_path} rPUx, diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index ae6b1cd78..ae10dbbfc 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -4,7 +4,13 @@ include - @{bin}/kmod mr, + @{bin}/depmod mr, + @{bin}/insmod mr, + @{bin}/kmod mr, + @{bin}/lsmod mr, + @{bin}/modinfo mr, + @{bin}/modprobe mr, + @{bin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 3fa454356..b10c66c68 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -57,7 +57,6 @@ @{PROC}/@{pid}/limits r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/ngroups_max r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index eef226aec..3e10a94f5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -20,8 +20,6 @@ ptrace (readby) peer=systemd-coredump, - /usr/share/locale/ r, - @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b39ccc853..9cf480718 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -50,6 +50,7 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_config_dirs}/electron-flags.conf r, owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, @@ -87,6 +88,8 @@ owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 8fe4d97cd..ced9cb1b1 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -5,6 +5,7 @@ # Minimal set of rules for all gnome based UI application. include + include include include include diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index d8e1fdfb8..1f1047cec 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,42 +11,56 @@ # The only legitimate use in this project is for file browser and search engine. - deny @{HOME}/.*.bak mrwkl, - deny @{HOME}/.*.swp mrwkl, - deny @{HOME}/.*~ mrwkl, - deny @{HOME}/.*~1~ mrwkl, + # User defined private directories + deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{user_private_dirs}/{,**} mrxwlk, + + # Files with secret paswords and tokens deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl, - deny @{HOME}/.*history mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl, - deny @{HOME}/.fetchmail* mrwkl, - deny @{HOME}/.lesshst* mrwkl, - deny @{HOME}/.mozilla/{,**} mrwkl, - deny @{HOME}/.mutt* mrwkl, - deny @{HOME}/.thunderbird/{,**} mrwkl, - deny @{HOME}/.viminfo* mrwkl, - deny @{HOME}/.wget-hsts mrwkl, + deny @{HOME}/.aws/{,**} mrwkl, + deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, + deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_config_dirs}/chromium/{,**} mrwkl, deny @{user_password_store_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, - # User defined private directories - deny @{user_private_dirs}/{,**} mrxwlk, - deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, - deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + # Privacy violations + deny @{HOME}/.*.bak mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.evolution/{,**} mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.gnome2_private/{,**} mrwkl, + deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, + deny @{HOME}/.lesshst* mrwkl, + deny @{HOME}/.mozilla/{,**} mrwkl, + deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.thunderbird/{,**} mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.wget-hsts mrwkl, + deny @{user_config_dirs}/chromium/{,**} mrwkl, + deny @{user_config_dirs}/evolution/{,**} mrwkl, # Deny executable mapping in writable space as allowed in abstractions/fonts - deny @{HOME}/.{,cache/}fontconfig/ rw, - deny @{HOME}/.{,cache/}fontconfig/** mrwl, + deny @{HOME}/.{,cache/}fontconfig/ rw, + deny @{HOME}/.{,cache/}fontconfig/** mrwl, + + # special attention to (potentially) executable files + deny @{HOME}/bin wl, + deny @{HOME}/bin/{,**} wl, include if exists diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a8b9937bd..8ac3ad7f3 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -5,7 +5,11 @@ # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw, owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e6eea6744..9f8d13eb5 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,11 +4,12 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, + @{python_path} r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + owner @{user_lib_dirs}/@{python_name}/ r, + owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, + owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, # vim:syntax=apparmor