diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common index f4a2ace29..f12ce7380 100644 --- a/apparmor.d/abstractions/apt-common +++ b/apparmor.d/abstractions/apt-common @@ -11,7 +11,8 @@ /etc/apt/preferences.d/{,*} r, /etc/apt/sources.list r, - /etc/apt/sources.list.d/{,*.list} r, + /etc/apt/sources.list.d/ r, + /etc/apt/sources.list.d/*.{sources,list} r, /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index 168f6e187..281c7e223 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -16,9 +16,11 @@ ptrace (readby, tracedby) peer=libvirtd, ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=virtqemud, signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd, + signal (receive) peer=virtqemud, /dev/kvm rw, /dev/net/tun rw, @@ -35,6 +37,8 @@ @{PROC}/sys/vm/overcommit_memory r, # detect hardware capabilities via qemu_getauxval owner @{PROC}/*/auxv r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, @@ -221,6 +225,7 @@ # allow connect with openGraphicsFD to work unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + unix (send, receive) type=stream addr=none peer=(label=virtqemud), # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index 4ead52951..d60eb2e38 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -52,7 +52,7 @@ profile android-studio @{exec_path} { /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/uname rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cut rix, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index 854e99e85..ba8478bfd 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -44,8 +44,8 @@ profile code @{exec_path} { #/{usr/,}bin/{,e}grep rix, #/{usr/,}bin/id rix, #/{usr/,}bin/readlink rix, - #/{usr/,}bin/which rix, - #/{usr/,}{s,}bin/ifconfig rix, + #/{usr/,}bin/which{,.debianutils} rix, + #/{usr/,}sbin/ifconfig rix, /{usr/,}bin/lsb_release rPx -> child-lsb_release, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index bcc0e569d..8088155bd 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -113,6 +113,8 @@ profile freetube @{exec_path} { # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/vlc rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -135,6 +137,8 @@ profile freetube @{exec_path} { # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/vlc rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index d3fe0faf3..5fae855c7 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -36,7 +36,7 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, @@ -77,9 +77,13 @@ profile telegram-desktop @{exec_path} { /usr/share/hwdata/pnp.ids r, + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/smplayer rPx, + /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/geany rPx, @@ -106,6 +110,7 @@ profile telegram-desktop @{exec_path} { /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/smplayer rPx, /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/viewnior rPUx, /{usr/,}bin/geany rPx, # file_inherit diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 60d1aaa80..bc30b2e9f 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -56,7 +56,7 @@ profile thunderbird @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/date rix, /{usr/,}bin/tr rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dig rix, diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index 415ed7fac..d9259acfb 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -158,7 +158,7 @@ profile vlc @{exec_path} { /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5eb581e98..b6795e7df 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -127,7 +127,7 @@ profile apt @{exec_path} flags=(complain) { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index e67736b84..8983c93d4 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -29,6 +29,8 @@ profile apt-forktracer @{exec_path} { /var/lib/apt/lists/ r, /var/lib/apt/lists/*_InRelease r, + /var/cache/apt/pkgcache.bin{,.*} rw, + /usr/share/distro-info/debian.csv r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-get b/apparmor.d/groups/apt/apt-get index de36d6d83..09c855fe7 100644 --- a/apparmor.d/groups/apt/apt-get +++ b/apparmor.d/groups/apt/apt-get @@ -136,7 +136,7 @@ profile apt-get @{exec_path} flags=(complain) { /{usr/,}bin/sensible-pager mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/less rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 92af3ef7a..471384eb1 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -84,7 +84,7 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/less rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index f1b860568..c638f261f 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -45,6 +45,8 @@ profile apt-methods-gpgv @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/touch rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/base64 rix, # For shell pwd / r, @@ -78,7 +80,10 @@ profile apt-methods-gpgv @{exec_path} { # Local keyring storage /etc/keyrings/ r, - /etc/keyrings/*.gpg r, + /etc/keyrings/*.{gpg,asc} r, + + # Extrepo keyring storage + /var/lib/extrepo/keys/*.{gpg,asc} r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index cba1efec9..adf30d0a5 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -23,7 +23,7 @@ profile apt-systemd-daily @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/mv rix, /{usr/,}bin/savelog rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/touch rix, /{usr/,}bin/basename rix, /{usr/,}bin/dirname rix, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index d7c93d77d..0e37509e2 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -174,7 +174,7 @@ profile aptitude @{exec_path} flags=(complain) { /{usr/,}bin/sensible-pager mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/less rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 9396f6ab4..23fbdf438 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -15,7 +15,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tar rix, /{usr/,}bin/bzip2 rix, /{usr/,}bin/gzip rix, diff --git a/apparmor.d/groups/apt/cron-apt-compat b/apparmor.d/groups/apt/cron-apt-compat index 9ec30630f..c2200b580 100644 --- a/apparmor.d/groups/apt/cron-apt-compat +++ b/apparmor.d/groups/apt/cron-apt-compat @@ -21,7 +21,7 @@ profile cron-apt-compat @{exec_path} { /{usr/,}bin/dd rix, /{usr/,}bin/cksum rix, /{usr/,}bin/cut rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/sleep rix, include if exists diff --git a/apparmor.d/groups/apt/cron-apt-xapian-index b/apparmor.d/groups/apt/cron-apt-xapian-index index dd7ba9647..9c986e358 100644 --- a/apparmor.d/groups/apt/cron-apt-xapian-index +++ b/apparmor.d/groups/apt/cron-apt-xapian-index @@ -13,7 +13,7 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/nice rix, diff --git a/apparmor.d/groups/apt/cron-aptitude b/apparmor.d/groups/apt/cron-aptitude index 2c34f1b4f..a425ebc0c 100644 --- a/apparmor.d/groups/apt/cron-aptitude +++ b/apparmor.d/groups/apt/cron-aptitude @@ -16,7 +16,7 @@ profile cron-aptitude @{exec_path} { /{usr/,}bin/cp rix, /{usr/,}bin/date rix, /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/dirname rix, /{usr/,}bin/rm rix, /{usr/,}bin/mv rix, diff --git a/apparmor.d/groups/apt/cron-popularity-contest b/apparmor.d/groups/apt/cron-popularity-contest index 57a04bea4..df30a29ae 100644 --- a/apparmor.d/groups/apt/cron-popularity-contest +++ b/apparmor.d/groups/apt/cron-popularity-contest @@ -65,7 +65,7 @@ profile cron-popularity-contest @{exec_path} { /{usr/,}bin/date rix, /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/dirname rix, /{usr/,}bin/rm rix, /{usr/,}bin/mv rix, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e7fc53cbc..26b021e32 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -92,9 +92,12 @@ profile reportbug @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, - owner /tmp/[a-z0-9]* rw, + owner /tmp/* rw, owner /var/tmp/*.bug{,~} rw, + owner @{HOME}/draftbugreports/ r, + owner @{HOME}/draftbugreports/reportbug-* rw, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, @@ -114,7 +117,8 @@ profile reportbug @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/reportbug-*-{signed,unsigned}-[0-9]*-[0-9]*-* rw, + owner /tmp/reportbug-*-{signed,unsigned}-* rw, + owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw, } diff --git a/apparmor.d/groups/browsers/brave-browser b/apparmor.d/groups/browsers/brave-browser index df4a551f4..106f8a6bd 100644 --- a/apparmor.d/groups/browsers/brave-browser +++ b/apparmor.d/groups/browsers/brave-browser @@ -21,7 +21,7 @@ profile brave-browser @{exec_path} { /{usr/,}bin/readlink rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/browsers/google-chrome-google-chrome b/apparmor.d/groups/browsers/google-chrome-google-chrome index 23f0d1095..96183b3b9 100644 --- a/apparmor.d/groups/browsers/google-chrome-google-chrome +++ b/apparmor.d/groups/browsers/google-chrome-google-chrome @@ -20,7 +20,7 @@ profile google-chrome-google-chrome @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/readlink rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/dirname rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index f234d0e51..07d4cca86 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -49,7 +49,7 @@ profile opera @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, @{OPERA_INSTALLDIR}/opera_sandbox rPx, @{OPERA_INSTALLDIR}/opera_crashreporter rPx, diff --git a/apparmor.d/groups/browsers/torbrowser.Browser.firefox b/apparmor.d/groups/browsers/torbrowser.Browser.firefox index 05953ab17..0201f10fa 100644 --- a/apparmor.d/groups/browsers/torbrowser.Browser.firefox +++ b/apparmor.d/groups/browsers/torbrowser.Browser.firefox @@ -1,15 +1,17 @@ -include -include +#include +#include @{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real profile torbrowser_firefox @{torbrowser_firefox_executable} { - include - include + #include + #include + #include + #include if exists # Uncomment the following lines if you want to give the Tor Browser read-write # access to most of your personal files. - # include + # #include # @{HOME}/ r, # Audio support @@ -36,6 +38,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /dev/ r, /dev/shm/ r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -90,6 +93,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /usr/share/gnome/applications/ r, /usr/share/gnome/applications/kde4/ r, /usr/share/poppler/cMap/ r, + /etc/xdg/mimeapps.list r, # Distribution homepage /usr/share/homepage/ r, @@ -99,6 +103,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /sys/devices/system/cpu/present r, /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_quota_us r, deny /sys/devices/virtual/block/*/uevent r, # Should use abstractions/gstreamer instead once merged upstream @@ -111,6 +116,9 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner /{dev,run}/shm/org.chromium.* rw, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC + # Required for Wayland display protocol support + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, + # Deny access to DRM nodes, that's granted by the X abstraction, which is # sourced by the gnome abstraction, that we include. deny /dev/dri/** rwklx, @@ -126,7 +134,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, deny /run/user/[0-9]*/dconf/user rw, deny /usr/bin/lsb_release x, - deny capability sys_admin, # Silence denial logs about PulseAudio deny /etc/pulse/client.conf r, @@ -143,10 +150,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /sys/class/ r, /sys/bus/ r, /sys/class/hidraw/ r, - /run/udev/data/c24{7,9}:* r, + /run/udev/data/c24{5,7,9}:* r, /dev/hidraw* rw, # Yubikey NEO also needs this: /sys/devices/**/hidraw/hidraw*/uevent r, - include if exists + # Needed for Firefox sandboxing via unprivileged user namespaces + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/{gid,uid}_map w, + owner @{PROC}/@{pid}/setgroups w, + + #include if exists } diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index dbadd7872..268a90d98 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -45,10 +45,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 9adeccf06..3dbfbbbd5 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -9,8 +9,19 @@ include @{exec_path} = /etc/cron.daily/exim4-base profile cron-exim4-base @{exec_path} { include + include + include + include capability dac_read_search, + capability setgid, + capability setuid, + capability audit_write, + capability sys_ptrace, + + ptrace (read), + + network netlink raw, @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, @@ -25,12 +36,21 @@ profile cron-exim4-base @{exec_path} { /{usr/,}sbin/eximstats rix, /{usr/,}sbin/exim4 rPx, + /{usr/,}sbin/exim_tidydb rix, + + /{usr/,}sbin/start-stop-daemon rix, + /{usr/,}sbin/runuser rix, /etc/default/exim4 r, /var/spool/exim4/db/ r, + /var/spool/exim4/db/* rwk, + @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/1/limits r, + + /etc/security/limits.d/ r, include if exists } diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index ac7c967d6..4b9370fd0 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -14,7 +14,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/true rix, /{usr/,}bin/flock rix, /{usr/,}bin/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index f675cabc3..210ca9c06 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -14,7 +14,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/true rix, /{usr/,}bin/flock rix, /{usr/,}bin/nocache rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index fa9c37f8f..39fe78928 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -41,7 +41,7 @@ profile crontab @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index d75931dac..61899a4c6 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,6 +68,10 @@ profile gpg @{exec_path} { owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + # APT upstream/user keyrings + /usr/share/keyrings/*.{gpg,asc} r, + /etc/keyrings/*.{gpg,asc} r, + # Verify files owner @{HOME}/** r, owner @{MOUNTS}/*/** r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 0f45c1fc1..89ea47753 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -86,7 +86,7 @@ profile openvpn @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cut rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/ip rix, /{usr/,}{s,}bin/xtables-nft-multi rix, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 563166aaa..2340a1c9c 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -25,6 +25,7 @@ profile systemd-hostnamed @{exec_path} { @{sys}/devices/virtual/dmi/id/uevent r, @{run}/udev/data/+dmi:id r, + @{sys}/firmware/dmi/entries/*/raw r, /etc/hostname rw, /etc/.#hostname* rw, diff --git a/apparmor.d/profiles-a-l/anyremote b/apparmor.d/profiles-a-l/anyremote index 771812948..959b513ec 100644 --- a/apparmor.d/profiles-a-l/anyremote +++ b/apparmor.d/profiles-a-l/anyremote @@ -29,7 +29,7 @@ profile anyremote @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/mv rix, /{usr/,}bin/expr rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/head rix, /{usr/,}bin/wc rix, /{usr/,}bin/tr rix, diff --git a/apparmor.d/profiles-a-l/aspell-autobuildhash b/apparmor.d/profiles-a-l/aspell-autobuildhash index c95ae2b7b..b7474b001 100644 --- a/apparmor.d/profiles-a-l/aspell-autobuildhash +++ b/apparmor.d/profiles-a-l/aspell-autobuildhash @@ -16,7 +16,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /{usr/,}bin/perl r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/precat rix, /{usr/,}bin/zcat rix, /{usr/,}bin/gzip rix, diff --git a/apparmor.d/profiles-a-l/cgrulesengd b/apparmor.d/profiles-a-l/cgrulesengd index 2e425a90b..dc720c6b2 100644 --- a/apparmor.d/profiles-a-l/cgrulesengd +++ b/apparmor.d/profiles-a-l/cgrulesengd @@ -35,13 +35,18 @@ profile cgrulesengd @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, owner @{PROC}/@{pid}/mounts r, @{PROC}/cgroups r, + @{sys}/fs/cgroup/unified/cgroup.controllers r, + owner @{run}/cgred.socket w, /etc/cgconfig.conf r, /etc/cgrules.conf r, + /etc/cgconfig.d/ r, + include if exists } diff --git a/apparmor.d/profiles-a-l/child-lsb_release b/apparmor.d/profiles-a-l/child-lsb_release deleted file mode 100644 index 9db6050a5..000000000 --- a/apparmor.d/profiles-a-l/child-lsb_release +++ /dev/null @@ -1,62 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-lsb_release" exec transitions -# from other profiles. We want to confine the lsb_release(1) utility when -# it is invoked from other confined applications, but not when it is used -# in regular (unconfined) shell scripts or run directly by the user. - -abi , - -include - -# Do not attach to /{usr/,}bin/lsb_release by default -profile child-lsb_release { - include - include - include - - signal (receive) set=(term, kill), - - owner @{PROC}/@{pid}/fd/ r, - - /{usr/,}bin/lsb_release r, - /{usr/,}bin/python3.[0-9]* r, - - /etc/debian_version r, -# /etc/default/apport r, - /etc/dpkg/origins/** r, -# /etc/lsb-release r, -# /etc/lsb-release.d/ r, - -# /{usr/,}bin/{,ba,da}sh rix, -# /{usr/,}bin/basename ixr, - -# /{usr/,}bin/getopt ixr, -# /{usr/,}bin/sed ixr, -# /{usr/,}bin/tr ixr, - - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, - - /{usr/,}bin/apt-cache rPx, - - /{usr/,}bin/ r, -# /usr/include/python*/pyconfig.h r, - /usr/share/distro-info/*.csv r, -# /usr/share/dpkg/** r, -# /usr/share/terminfo/** r, -# /var/lib/dpkg/** r, - - # file_inherit - owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, -# deny /tmp/gtalkplugin.log w, - /dev/dri/card[0-9]* rw, - - include if exists -} diff --git a/apparmor.d/profiles-a-l/claws-mail b/apparmor.d/profiles-a-l/claws-mail index 5442fa73f..9713bfbca 100644 --- a/apparmor.d/profiles-a-l/claws-mail +++ b/apparmor.d/profiles-a-l/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-a-l/exim4 b/apparmor.d/profiles-a-l/exim4 index 69392267f..551a0fc2a 100644 --- a/apparmor.d/profiles-a-l/exim4 +++ b/apparmor.d/profiles-a-l/exim4 @@ -11,6 +11,7 @@ profile exim4 @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -58,18 +59,10 @@ profile exim4 @{exec_path} { /var/log/exim4/paniclog w, /var/log/exim4/rejectlog w, - /var/spool/exim4/ r, - /var/spool/exim4/input/ r, - /var/spool/exim4/input/*-*-*-* rwk, - owner /var/spool/exim4/input/hdr.*-*-* rw, - owner /var/spool/exim4/input/hdr.@{pid} rw, - /var/spool/exim4/db/retry.lockfile rwk, - owner /var/spool/exim4/db/__db.retry rwk, - /var/spool/exim4/msglog/*-*-* w, + /var/spool/exim4/ r, + /var/spool/exim4/** rwk, - owner /var/mail/* rwk, - owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w, - owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*, + owner /var/mail/* rwkl -> /var/mail/*, @{run}/exim4/ r, owner @{run}/exim4/exim.pid rw, diff --git a/apparmor.d/profiles-a-l/ganyremote b/apparmor.d/profiles-a-l/ganyremote index c97c4c0c0..8eef20548 100644 --- a/apparmor.d/profiles-a-l/ganyremote +++ b/apparmor.d/profiles-a-l/ganyremote @@ -32,7 +32,7 @@ profile ganyremote @{exec_path} { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cut rix, /{usr/,}bin/id rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tr rix, /{usr/,}bin/gawk rix, diff --git a/apparmor.d/profiles-a-l/git b/apparmor.d/profiles-a-l/git index db0ff7907..6bd18526d 100644 --- a/apparmor.d/profiles-a-l/git +++ b/apparmor.d/profiles-a-l/git @@ -82,6 +82,9 @@ profile git @{exec_path} { owner /tmp/git-difftool.*/right/{,**} rw, owner /tmp/git-difftool.*/left/{,**} rw, owner /tmp/* rw, + # For TWRP-device-tree-generator + owner /tmp/tmp*/ rw, + owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, # For git log --show-signature owner /tmp/.git_vtag_tmp* rw, @@ -151,7 +154,7 @@ profile git @{exec_path} { /{usr/,}bin/vim mrix, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/profiles-a-l/gsmartcontrol-root b/apparmor.d/profiles-a-l/gsmartcontrol-root index 7428e30d1..7ac4a46cc 100644 --- a/apparmor.d/profiles-a-l/gsmartcontrol-root +++ b/apparmor.d/profiles-a-l/gsmartcontrol-root @@ -14,7 +14,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/pkexec rPx, diff --git a/apparmor.d/profiles-a-l/hypnotix b/apparmor.d/profiles-a-l/hypnotix index 1193100d9..ca7cb8241 100644 --- a/apparmor.d/profiles-a-l/hypnotix +++ b/apparmor.d/profiles-a-l/hypnotix @@ -98,7 +98,7 @@ profile hypnotix @{exec_path} { /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, diff --git a/apparmor.d/profiles-a-l/jdownloader b/apparmor.d/profiles-a-l/jdownloader index 99bc8ec68..cca16ade2 100644 --- a/apparmor.d/profiles-a-l/jdownloader +++ b/apparmor.d/profiles-a-l/jdownloader @@ -34,7 +34,7 @@ profile jdownloader @{exec_path} { /{usr/,}bin/ffmpeg rPx, # These are needed when the above tools are in some nonstandard locations - #/{usr/,}bin/which rix, + #/{usr/,}bin/which{,.debianutils} rix, #/usr/ r, #/usr/local/ r, #/{usr/,}bin/ r, diff --git a/apparmor.d/profiles-a-l/jdownloader-install b/apparmor.d/profiles-a-l/jdownloader-install index aa636238d..78e166e77 100644 --- a/apparmor.d/profiles-a-l/jdownloader-install +++ b/apparmor.d/profiles-a-l/jdownloader-install @@ -24,7 +24,7 @@ profile jdownloader-install @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/expr rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/rm rix, diff --git a/apparmor.d/profiles-a-l/kanyremote b/apparmor.d/profiles-a-l/kanyremote index c70649816..7a6a68c12 100644 --- a/apparmor.d/profiles-a-l/kanyremote +++ b/apparmor.d/profiles-a-l/kanyremote @@ -35,7 +35,7 @@ profile kanyremote @{exec_path} { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cut rix, /{usr/,}bin/id rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tr rix, /{usr/,}bin/gawk rix, /{usr/,}bin/head rix, diff --git a/apparmor.d/profiles-a-l/lsb_release b/apparmor.d/profiles-a-l/lsb_release new file mode 100644 index 000000000..d15f52f1e --- /dev/null +++ b/apparmor.d/profiles-a-l/lsb_release @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> lsb_release" exec transitions from +# other profiles. We want to confine the lsb_release(1) utility when it +# is invoked from other confined applications, but not when it is used +# in regular (unconfined) shell scripts or run directly by the user. + +abi , + +include + +# Do not attach to /{usr/,}bin/lsb_release by default +profile lsb_release { + include + include + + owner @{PROC}/@{pid}/fd/ r, + + /dev/tty rw, + + /usr/bin/lsb_release r, + /usr/bin/python3.{1,}[0-9] mr, + + /etc/debian_version r, + /etc/default/apport r, + /etc/dpkg/origins/** r, + /etc/lsb-release r, + /etc/lsb-release.d/ r, + + /{usr/,}bin/bash ixr, + /{usr/,}bin/dash ixr, + /usr/bin/basename ixr, + /usr/bin/dpkg-query ixr, + /usr/bin/getopt ixr, + /usr/bin/sed ixr, + /usr/bin/tr ixr, + + # TODO - many more permissions needed for this to work + deny /usr/bin/apt-cache x, + + /usr/bin/ r, + /usr/include/python*/pyconfig.h r, + /usr/share/distro-info/** r, + /usr/share/dpkg/** r, + /usr/share/terminfo/** r, + /var/lib/dpkg/** r, + + # file_inherit + deny /tmp/gtalkplugin.log w, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/minitube b/apparmor.d/profiles-m-z/minitube index 5e364b98c..4f5b438b7 100644 --- a/apparmor.d/profiles-m-z/minitube +++ b/apparmor.d/profiles-m-z/minitube @@ -132,7 +132,7 @@ profile minitube @{exec_path} { /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, diff --git a/apparmor.d/profiles-m-z/mpv b/apparmor.d/profiles-m-z/mpv index ae3ecb5fc..719ca9f4e 100644 --- a/apparmor.d/profiles-m-z/mpv +++ b/apparmor.d/profiles-m-z/mpv @@ -163,7 +163,7 @@ profile mpv @{exec_path} { /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, diff --git a/apparmor.d/profiles-m-z/mumble-overlay b/apparmor.d/profiles-m-z/mumble-overlay index 32c0f3bd8..8f23dab35 100644 --- a/apparmor.d/profiles-m-z/mumble-overlay +++ b/apparmor.d/profiles-m-z/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/file rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/glxgears rPx, diff --git a/apparmor.d/profiles-m-z/nft b/apparmor.d/profiles-m-z/nft index efe8bc6e2..adb54561b 100644 --- a/apparmor.d/profiles-m-z/nft +++ b/apparmor.d/profiles-m-z/nft @@ -22,5 +22,9 @@ profile nft @{exec_path} { owner /etc/nftables/**.nft r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/profiles-m-z/openbox b/apparmor.d/profiles-m-z/openbox index 965908d44..df7150f39 100644 --- a/apparmor.d/profiles-m-z/openbox +++ b/apparmor.d/profiles-m-z/openbox @@ -59,7 +59,7 @@ profile openbox @{exec_path} { /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, # Apps allowed to run /{usr/,}sbin/* rPUx, diff --git a/apparmor.d/profiles-m-z/qbittorrent b/apparmor.d/profiles-m-z/qbittorrent index 5cadf1dbb..82e97bf6b 100644 --- a/apparmor.d/profiles-m-z/qbittorrent +++ b/apparmor.d/profiles-m-z/qbittorrent @@ -88,6 +88,7 @@ profile qbittorrent @{exec_path} { owner /tmp/.qBittorrent/#[0-9]*[0-9] rw, owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9], owner /tmp/mozilla_*/*.torrent rw, + owner /tmp/*.torrent rw, # To load/add torrents from the search engine owner /tmp/tmp* rw, owner /tmp/.*/{,s} rw, diff --git a/apparmor.d/profiles-m-z/qbittorrent-nox b/apparmor.d/profiles-m-z/qbittorrent-nox index 7a9ca8554..f0e237b06 100644 --- a/apparmor.d/profiles-m-z/qbittorrent-nox +++ b/apparmor.d/profiles-m-z/qbittorrent-nox @@ -66,6 +66,7 @@ profile qbittorrent-nox @{exec_path} { owner /tmp/.qBittorrent/#[0-9]*[0-9] rw, owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9], owner /tmp/mozilla_*/*.torrent rw, + owner /tmp/*.torrent rw, owner /tmp/.*/{,s} rw, include if exists diff --git a/apparmor.d/profiles-m-z/repo b/apparmor.d/profiles-m-z/repo index 3488274bc..1d83a7a9d 100644 --- a/apparmor.d/profiles-m-z/repo +++ b/apparmor.d/profiles-m-z/repo @@ -21,10 +21,10 @@ profile repo @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} r, /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/python2.[0-9]* rix, /{usr/,}bin/ r, /{usr/,}bin/env rix, @@ -37,6 +37,7 @@ profile repo @{exec_path} { /{usr/,}bin/curl rCx -> curl, /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/ssh rPx, # Android source dir owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**, @@ -45,12 +46,14 @@ profile repo @{exec_path} { owner @{HOME}/.repoconfig/{,**} rw, owner @{HOME}/.repo_.gitconfig.json rw, - owner @{user_config_dirs}/git/config r, - owner @{HOME}/.gitconfig r, + owner @{user_config_dirs}/git/config rw, + owner @{HOME}/.gitconfig rw, + owner @{HOME}/.gitconfig.lock rwk, /usr/share/git-core/{,**} r, owner /tmp/.git_vtag_tmp* rw, + owner /tmp/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -58,6 +61,9 @@ profile repo @{exec_path} { owner /dev/shm/* rw, owner /dev/shm/sem.mp* rwl -> /dev/shm/*, + # Silencer + deny /etc/.repo_gitconfig.json w, + profile curl { include diff --git a/apparmor.d/profiles-m-z/run-parts b/apparmor.d/profiles-m-z/run-parts index 011fa7157..006f244b4 100644 --- a/apparmor.d/profiles-m-z/run-parts +++ b/apparmor.d/profiles-m-z/run-parts @@ -77,7 +77,7 @@ profile run-parts @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/uname rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/kmod rix, diff --git a/apparmor.d/profiles-m-z/sddm-xsession b/apparmor.d/profiles-m-z/sddm-xsession index 63058f858..13dc21b7b 100644 --- a/apparmor.d/profiles-m-z/sddm-xsession +++ b/apparmor.d/profiles-m-z/sddm-xsession @@ -20,7 +20,7 @@ profile sddm-xsession @{exec_path} { /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/id rix, /{usr/,}bin/chmod rix, /{usr/,}bin/date rix, diff --git a/apparmor.d/profiles-m-z/ucf b/apparmor.d/profiles-m-z/ucf index 4b7efac99..1d925350a 100644 --- a/apparmor.d/profiles-m-z/ucf +++ b/apparmor.d/profiles-m-z/ucf @@ -20,7 +20,7 @@ profile ucf @{exec_path} flags=(complain) { /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/sed rix, /{usr/,}bin/getopt rix, diff --git a/apparmor.d/profiles-m-z/update-pciids b/apparmor.d/profiles-m-z/update-pciids index 20c0b833e..d8da46799 100644 --- a/apparmor.d/profiles-m-z/update-pciids +++ b/apparmor.d/profiles-m-z/update-pciids @@ -23,7 +23,7 @@ profile update-pciids @{exec_path} { /{usr/,}bin/chmod rix, /{usr/,}bin/echo rix, /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/bunzip2 rix, /{usr/,}bin/bzip2 rix, /{usr/,}bin/gzip rix, diff --git a/apparmor.d/profiles-m-z/usr.lib.libvirt.virt-aa-helper b/apparmor.d/profiles-m-z/usr.lib.libvirt.virt-aa-helper index 144fc277b..6ee44562c 100644 --- a/apparmor.d/profiles-m-z/usr.lib.libvirt.virt-aa-helper +++ b/apparmor.d/profiles-m-z/usr.lib.libvirt.virt-aa-helper @@ -1,7 +1,8 @@ -include +#include profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper { - include + #include + #include # needed for searching directories capability dac_override, @@ -19,7 +20,8 @@ profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper { # Used when internally running another command (namely apparmor_parser) @{PROC}/@{pid}/fd/ r, - /etc/libnl-3/classid r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, # for gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/profiles-m-z/usr.sbin.libvirtd b/apparmor.d/profiles-m-z/usr.sbin.libvirtd index 4188db7e5..bae57d2dc 100644 --- a/apparmor.d/profiles-m-z/usr.sbin.libvirtd +++ b/apparmor.d/profiles-m-z/usr.sbin.libvirtd @@ -25,6 +25,9 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { capability fsetid, capability audit_write, capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, # Needed for vfio capability sys_resource, @@ -86,7 +89,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /usr/sbin/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, - /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, diff --git a/apparmor.d/profiles-m-z/uupdate b/apparmor.d/profiles-m-z/uupdate index 4c46be97f..f78736cfd 100644 --- a/apparmor.d/profiles-m-z/uupdate +++ b/apparmor.d/profiles-m-z/uupdate @@ -17,7 +17,7 @@ profile uupdate @{exec_path} flags=(complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tr rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/getopt rix, diff --git a/apparmor.d/profiles-m-z/vipw-vigr b/apparmor.d/profiles-m-z/vipw-vigr index 57aef59ce..ebb282c2b 100644 --- a/apparmor.d/profiles-m-z/vipw-vigr +++ b/apparmor.d/profiles-m-z/vipw-vigr @@ -46,7 +46,7 @@ profile vipw-vigr @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/profiles-m-z/warzone2100 b/apparmor.d/profiles-m-z/warzone2100 index 6571404eb..0ac5b1d78 100644 --- a/apparmor.d/profiles-m-z/warzone2100 +++ b/apparmor.d/profiles-m-z/warzone2100 @@ -29,7 +29,7 @@ profile warzone2100 @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, owner @{user_share_dirs}/warzone2100-*/ rw, owner @{user_share_dirs}/warzone2100-*/** rw, diff --git a/apparmor.d/profiles-m-z/x11-xsession b/apparmor.d/profiles-m-z/x11-xsession index 07a1bee7d..5b483ec1b 100644 --- a/apparmor.d/profiles-m-z/x11-xsession +++ b/apparmor.d/profiles-m-z/x11-xsession @@ -18,7 +18,7 @@ profile x11-xsession @{exec_path} { /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/id rix, /{usr/,}bin/chmod rix, /{usr/,}bin/date rix, diff --git a/apparmor.d/profiles-m-z/xdg-mime b/apparmor.d/profiles-m-z/xdg-mime index f35eb2160..405442a12 100644 --- a/apparmor.d/profiles-m-z/xdg-mime +++ b/apparmor.d/profiles-m-z/xdg-mime @@ -18,7 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/cut rix, /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/readlink rix, /{usr/,}bin/mv rix, /{usr/,}bin/head rix, diff --git a/apparmor.d/profiles-m-z/xdg-open b/apparmor.d/profiles-m-z/xdg-open index fedcf6b9d..89c8b403e 100644 --- a/apparmor.d/profiles-m-z/xdg-open +++ b/apparmor.d/profiles-m-z/xdg-open @@ -18,7 +18,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, /{usr/,}bin/cut rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/cat rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/profiles-m-z/xdg-screensaver b/apparmor.d/profiles-m-z/xdg-screensaver index 708390c62..8e7786a9c 100644 --- a/apparmor.d/profiles-m-z/xdg-screensaver +++ b/apparmor.d/profiles-m-z/xdg-screensaver @@ -20,7 +20,7 @@ profile xdg-screensaver @{exec_path} { /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/cat rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/profiles-m-z/xdg-settings b/apparmor.d/profiles-m-z/xdg-settings index 6841c9903..2ff7fb808 100644 --- a/apparmor.d/profiles-m-z/xdg-settings +++ b/apparmor.d/profiles-m-z/xdg-settings @@ -22,7 +22,7 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/profiles-m-z/xinit b/apparmor.d/profiles-m-z/xinit index 98af981ff..2d841bcfb 100644 --- a/apparmor.d/profiles-m-z/xinit +++ b/apparmor.d/profiles-m-z/xinit @@ -27,9 +27,10 @@ profile xinit @{exec_path} { /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/cat rix, /{usr/,}bin/tempfile rix, + /{usr/,}bin/mktemp rix, /{usr/,}bin/date rix, /{usr/,}bin/chmod rix, /{usr/,}bin/head rix, @@ -56,6 +57,7 @@ profile xinit @{exec_path} { /{usr/,}bin/ssh-agent rPx, owner /tmp/file* rw, + owner /tmp/tmp.* rw, /{usr/,}bin/X rPx, /{usr/,}bin/Xorg rPx,