From 2cd06e74d6a14e36ee0dee23698e526bb775f951 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Tue, 13 Oct 2020 16:47:49 +0200 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/gtk | 6 +- apparmor.d/borg | 99 ++++++++++++++++++++++++++++++ apparmor.d/cron | 1 + apparmor.d/exo-compose-mail | 30 +++++++++ apparmor.d/firefox | 7 ++- apparmor.d/freetube | 32 +++++----- apparmor.d/freetube-chrome-sandbox | 11 ++-- apparmor.d/fusermount | 4 ++ apparmor.d/geany | 2 + apparmor.d/kconfig-hardened-check | 30 +++++++++ apparmor.d/pavucontrol | 1 + apparmor.d/thunderbird | 3 +- apparmor.d/update-pciids | 8 +-- apparmor.d/xinit | 1 + 14 files changed, 206 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/borg create mode 100644 apparmor.d/exo-compose-mail create mode 100644 apparmor.d/kconfig-hardened-check diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk index f27f710d1..537096677 100644 --- a/apparmor.d/abstractions/gtk +++ b/apparmor.d/abstractions/gtk @@ -15,7 +15,9 @@ /usr/share/gtk-3.0/settings.ini r, + /etc/gtk-2.0/ r, /etc/gtk-2.0/gtkrc r, + /etc/gtk-3.0/ r, /etc/gtk-3.0/*.conf r, /etc/gtk/gtkrc r, @@ -26,13 +28,13 @@ owner @{HOME}/.gtk-bookmarks r, owner @{HOME}/.config/gtkrc r, owner @{HOME}/.config/gtkrc-2.0 r, - owner @{HOME}/.config/gtk-3.0/ w, + owner @{HOME}/.config/gtk-3.0/ rw, owner @{HOME}/.config/gtk-3.0/settings.ini r, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/gtk-3.0/gtk.css r, # for gtk file dialog - owner @{HOME}/.config/gtk-2.0/ w, + owner @{HOME}/.config/gtk-2.0/ rw, owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, # .Xauthority file required for X connections diff --git a/apparmor.d/borg b/apparmor.d/borg new file mode 100644 index 000000000..4ceac9981 --- /dev/null +++ b/apparmor.d/borg @@ -0,0 +1,99 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{BACKUP_DIR} = /media/Arti/backup-* + +@{exec_path} = /{usr/,}bin/borg +profile borg @{exec_path} { + #include + #include + + # For reading files of other users as root + capability dac_read_search, + + # Needed to mount backup files + capability sys_admin, + + # + capability fowner, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/bin/uname rix, + /usr/sbin/ldconfig rix, + /{usr/,}bin/{,@{multiarch}-}ld.bfd rix, + + /{usr/,}bin/ccache rCx -> ccache, + + /usr/bin/fusermount{,3} rPx, + + mount fstype=fuse -> /media/*/, + umount /media/*/, + + /dev/fuse rw, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/borg/ rw, + owner @{HOME}/.cache/borg/** rw, + + owner @{HOME}/.config/borg/ rw, + owner @{HOME}/.config/borg/** rw, + + # If /tmp/ isn't accessible, then /var/tmp/ is used. + owner /tmp/* rw, + owner /tmp/tmp*/ rw, + owner /tmp/tmp*/idx rw, + owner /var/tmp/* rw, + owner /var/tmp/tmp*/ rw, + owner /var/tmp/tmp*/idx rw, + + # Dirs that can be backed up + / r, + /boot/{,**} r, + /efi/{,**} r, + /etc/{,**} r, + /home/{,**} r, + /media/{,**} r, + /mnt/{,**} r, + /opt/{,**} r, + /root/{,**} r, + /srv/{,**} r, + /usr/{,**} r, + /var/{,**} r, + + # The backup dirs + owner @{BACKUP_DIR}/ r, + owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**, + + # For exporting the key + owner /**/key w, + + + profile ccache { + #include + + /{usr/,}bin/ccache mr, + + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + + /media/ccache/*/** rw, + + } + + #include if exists +} diff --git a/apparmor.d/cron b/apparmor.d/cron index 8ad7acbe3..4eee46147 100644 --- a/apparmor.d/cron +++ b/apparmor.d/cron @@ -51,6 +51,7 @@ profile cron @{exec_path} { /usr/share/rsync/scripts/rrsync rPUx, /{usr/,}bin/gpg rPx, /{usr/,}sbin/update-pciids rPx, + /{usr/,}bin/borg rPx, # Cron scripts in the /etc/cron.*/ dir to execute /{usr/,}bin/run-parts rCx -> run-parts, diff --git a/apparmor.d/exo-compose-mail b/apparmor.d/exo-compose-mail new file mode 100644 index 000000000..fe3e96f09 --- /dev/null +++ b/apparmor.d/exo-compose-mail @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /usr/share/xfce4/exo/exo-compose-mail +profile exo-compose-mail @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/perl r, + + # Mail clients + /usr/bin/thunderbird rPx, + /{usr/,}lib/thunderbird/thunderbird rPx, + /{usr/,}lib/thunderbird/thunderbird-bin rPx, + + #include if exists +} diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 3c5db6e51..7e9c8bcb8 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -111,10 +111,10 @@ profile firefox @{exec_path} { deny owner @{PROC}/@{pid}/statm r, deny owner @{PROC}/@{pid}/smaps r, # Link Monitor (since 49.0.1) - deny @{PROC}/@{pid}/net/arp r, - deny @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/route r, # - deny @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/if_inet6 r, /etc/mime.types r, /etc/mailcap r, @@ -204,6 +204,7 @@ profile firefox @{exec_path} { /{usr/,}bin/telegram-desktop rPx, /{usr/,}bin/spacefm rPx, /{usr/,}bin/qpdfview rPx, + /{usr/,}share/xfce4/exo/exo-compose-mail rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index b702127bf..3c5415caa 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -13,9 +13,12 @@ #include -@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube +@{FT_LIBDIR} = /{usr/,}lib/freetube +@{FT_LIBDIR} += /{usr/,}lib/freetube-vue +@{FT_LIBDIR} += /opt/FreeTube +@{FT_LIBDIR} += /opt/FreeTube-Vue -@{exec_path} = @{FT_LIBDIR}/freetube +@{exec_path} = @{FT_LIBDIR}/freetube{,-vue} profile freetube @{exec_path} { #include #include @@ -40,10 +43,6 @@ profile freetube @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - # Needed? - #deny capability sys_ptrace, - #ptrace (read) peer=xdg-open, - @{exec_path} mrix, @{FT_LIBDIR}/ r, @@ -72,23 +71,26 @@ profile freetube @{exec_path} { # freetube[56499b8a8000+531e000] @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, + # @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/task/ r, deny owner @{PROC}/@{pids}/task/@{tid}/status r, + # @{PROC}/@{pids}/task/@{tid}/status r, deny @{PROC}/@{pids}/stat r, + deny owner @{PROC}/@{pids}/statm r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pids}/oom_{,score_}adj r, + deny owner @{PROC}/@{pids}/oom_{,score_}adj w, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/yama/ptrace_scope r, deny @{PROC}/vmstat r, @{PROC}/sys/fs/inotify/max_user_watches r, - - # The following are needed for View -> Developer Tools - @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pids}/task/@{tid}/status r, - /etc/fstab r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{HOME}/.local/share r, + deny @{sys}/devices/virtual/tty/tty0/active r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, # To remove the following error: @@ -104,12 +106,12 @@ profile freetube @{exec_path} { /etc/machine-id r, # no new privs - /{usr/,}bin/xdg-settings rPUx, + /{usr/,}bin/xdg-settings rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}lib/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -122,7 +124,7 @@ profile freetube @{exec_path} { /{usr/,}bin/xdg-open mr, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}lib/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/freetube-chrome-sandbox b/apparmor.d/freetube-chrome-sandbox index 288e78301..eefd5fdbc 100644 --- a/apparmor.d/freetube-chrome-sandbox +++ b/apparmor.d/freetube-chrome-sandbox @@ -13,7 +13,10 @@ #include -@{FT_LIBDIR} = /{usr/,}lib/freetube /opt/FreeTube +@{FT_LIBDIR} = /{usr/,}lib/freetube +@{FT_LIBDIR} += /{usr/,}lib/freetube-vue +@{FT_LIBDIR} += /opt/FreeTube +@{FT_LIBDIR} += /opt/FreeTube-Vue @{exec_path} = @{FT_LIBDIR}/chrome-sandbox profile freetube-chrome-sandbox @{exec_path} { @@ -29,11 +32,11 @@ profile freetube-chrome-sandbox @{exec_path} { @{exec_path} mr, # Has to be lower "P" - @{FT_LIBDIR}/freetube rpx, + @{FT_LIBDIR}/freetube{,-vue} rpx, - # The following is needed for View -> Developer Tools @{PROC}/@{pids}/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/oom_{,score_}adj r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj w, #include if exists } diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount index 07c08fd3d..79aafa25a 100644 --- a/apparmor.d/fusermount +++ b/apparmor.d/fusermount @@ -37,11 +37,15 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> /home/*/*/, mount fstype={fuse,fuse.*} -> /home/*/*/*/, mount fstype={fuse,fuse.*} -> /home/*/.cache/**/, + mount fstype={fuse,fuse.*} -> /media/*/, + # For MTP + mount -> /, # Be able to unmount the ISO images umount /home/*/*/, umount /home/*/*/*/, umount /home/*/.cache/**/, + umount /media/*/, # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, diff --git a/apparmor.d/geany b/apparmor.d/geany index 545a8d4b7..ccc461c4f 100644 --- a/apparmor.d/geany +++ b/apparmor.d/geany @@ -46,6 +46,8 @@ profile geany @{exec_path} { deny /{usr/,}bin/dbus-send rx, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /usr/share/geany/{,**} r, diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check new file mode 100644 index 000000000..72e661e9f --- /dev/null +++ b/apparmor.d/kconfig-hardened-check @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#abi , + +#include + +@{exec_path} = /{usr/,}bin/kconfig-hardened-check +profile kconfig-hardened-check @{exec_path} { + #include + #include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + + /boot/config-* r, + @{PROC}/config.gz r, + + #include if exists +} diff --git a/apparmor.d/pavucontrol b/apparmor.d/pavucontrol index 10433e09b..9ef1f82cc 100644 --- a/apparmor.d/pavucontrol +++ b/apparmor.d/pavucontrol @@ -29,6 +29,7 @@ profile pavucontrol @{exec_path} { /usr/share/pavucontrol/pavucontrol.glade r, # Pavucontrol config files + owner @{HOME}/.config/ r, owner @{HOME}/.config/pavucontrol.ini* rw, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index 195bac27b..7584e8fe4 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -20,7 +20,8 @@ @{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_CACHEDIR} = @{HOME}/.cache/thunderbird -@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} /{usr/,}bin/thunderbird +@{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} +@{exec_path} += /{usr/,}bin/thunderbird profile thunderbird @{exec_path} { #include #include diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids index 65f0898f0..d2669395c 100644 --- a/apparmor.d/update-pciids +++ b/apparmor.d/update-pciids @@ -19,7 +19,7 @@ profile update-pciids @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/dash rix, /{usr/,}bin/touch rix, /{usr/,}bin/rm rix, @@ -37,9 +37,9 @@ profile update-pciids @{exec_path} { /{usr/,}bin/ln rix, /{usr/,}bin/zgrep rix, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, diff --git a/apparmor.d/xinit b/apparmor.d/xinit index 4f63caeb8..850607328 100644 --- a/apparmor.d/xinit +++ b/apparmor.d/xinit @@ -41,6 +41,7 @@ profile xinit @{exec_path} { /{usr/,}bin/head rix, /{usr/,}bin/gawk rix, /{usr/,}bin/id rix, + /{usr/,}bin/tail rix, /{usr/,}bin/dbus-update-activation-environment rix,