From 1db2c01117fb49ba8ce5af193baec21f6b4d14cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 10 Jul 2024 12:48:15 +0100 Subject: [PATCH 01/15] feat(tunable): add kde-open to open_path. --- apparmor.d/tunables/multiarch.d/paths | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 3fb6ce44d..69ca70ef7 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -31,7 +31,7 @@ @{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} # Open -@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio +@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open @{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop From 872b8fc30ad7525e1bc3141a5955716d1cd17316 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Jul 2024 14:29:43 +0100 Subject: [PATCH 02/15] fix(profile): strawberry & nemo. see #407 --- apparmor.d/profiles-m-r/nemo | 1 + apparmor.d/profiles-s-z/strawberry | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index f28d053cd..4021836ec 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/nemo profile nemo @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 2d72bc83c..db48ee100 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/strawberry -profile strawberry @{exec_path} { +profile strawberry @{exec_path} flags=(attach_disconnected) { include include include From d864f5c97542952945357ae1915240e8a40f0d7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 12 Jul 2024 20:08:58 +0100 Subject: [PATCH 03/15] feat(profile): improve general integration See #407 --- apparmor.d/groups/freedesktop/xdg-user-dir | 5 +++-- apparmor.d/groups/freedesktop/xhost | 2 +- .../groups/systemd/systemd-generator-fstab | 1 + .../systemd/systemd-generator-user-autostart | 2 ++ apparmor.d/groups/systemd/systemd-machined | 3 +++ apparmor.d/profiles-a-f/dunst | 3 +++ apparmor.d/profiles-g-l/id | 2 +- apparmor.d/profiles-g-l/lspci | 1 + apparmor.d/profiles-m-r/nemo | 18 +++++++++++++++++- apparmor.d/profiles-m-r/pkexec | 11 ++++------- apparmor.d/profiles-m-r/run-parts | 13 ++++++++++--- apparmor.d/profiles-s-z/strawberry | 3 ++- apparmor.d/profiles-s-z/virt-manager | 4 ++++ dists/flags/main.flags | 1 + 14 files changed, 53 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index fa52d6f52..47184420b 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -9,11 +9,12 @@ include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/env rix, + @{sh_path} rix, + @{bin}/env rix, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 467a92e03..26b1bc598 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xhost -profile xhost @{exec_path} { +profile xhost @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab index 075c5c6af..a15100300 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} { capability dac_override, capability dac_read_search, + capability mknod, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index 95dab2026..8ca09d56b 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} { @{exec_path} mr, + @{system_share_dirs}/applications/*.desktop r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 512fdde82..cb0eab79b 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} { @{PROC}/pressure/io r, @{PROC}/pressure/memory r, + /dev/ptmx rw, + /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index 8fb895029..220652247 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -17,10 +17,13 @@ profile dunst @{exec_path} { @{exec_path} mr, /etc/xdg/dunst/dunstrc r, + owner @{user_config_dirs}/dunst/dunstrc r, owner @{HOME}/.Xauthority r, + owner /dev/shm/dunst-@{rand6} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 061313d42..6ba6001b6 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/id -profile id @{exec_path} { +profile id @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 0d6936d22..656597c1c 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, + @{PROC}/bus/pci/devices r, @{PROC}/cmdline r, @{PROC}/ioports r, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 4021836ec..a51854414 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -11,15 +11,31 @@ include profile nemo @{exec_path} { include include + include include include + include network inet stream, network inet6 stream, @{exec_path} mr, -# @{lib}/@{multiarch}/nemo/** mrix, + /usr/share/nemo/** r, + + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rw, + + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 923d955af..49c762df9 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -35,13 +35,10 @@ profile pkexec @{exec_path} { @{exec_path} mr, - # Apps to be run via pkexec - @{bin}/* rPUx, - @{lib}/{,gvfs/}gvfsd-admin rPx, - @{lib}/cc-remote-login-helper rPx, - @{lib}/update-notifier/package-system-locked rPx, - /usr/share/apport/apport-gtk rPx, - #aa:exec polkit-agent-helper + @{bin}/* PUx, + @{lib}/** PUx, + /opt/*/** PUx, + /usr/share/** PUx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 18c70b240..f166e0fd0 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -14,7 +14,9 @@ profile run-parts @{exec_path} { include include - @{exec_path} mr, + capability mknod, + + @{exec_path} mrix, @{sh_path} rix, @{bin}/anacron rix, @@ -29,6 +31,7 @@ profile run-parts @{exec_path} { /etc/ r, /etc/anacrontab r, /etc/conf.d/snapper{,**} r, + /etc/default/* r, /etc/snapper/configs/root r, # Crontab @@ -134,10 +137,14 @@ profile run-parts @{exec_path} { /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /root/ r, + + /var/spool/anacron/cron.daily k, + owner @{tmp}/#@{int} rw, - owner @{tmp}/$anacron* rw, + owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - + owner @{sys}/class/power_supply/ r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index db48ee100..484a4069d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -8,10 +8,11 @@ abi , include @{exec_path} = @{bin}/strawberry -profile strawberry @{exec_path} flags=(attach_disconnected) { +profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9fa13e500..c1bd7fbde 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bff50ba9b..06eae76b7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -306,6 +306,7 @@ steam-launch attach_disconnected,complain steam-launcher attach_disconnected,complain steam-runtime attach_disconnected,complain steamerrorreporter attach_disconnected,complain +strawberry attach_disconnected,mediate_deleted,complain sulogin complain switcherooctl complain swtpm complain From bd1239b46a006d3cb227fc6fffcf95cf684e1ea2 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 12 Jul 2024 20:11:32 +0100 Subject: [PATCH 04/15] add profiles for cmus and ouch (#408) * add profiles for cmus and ouch * minor corrections --- apparmor.d/profiles-a-f/cmus | 31 +++++++++++++++++++++++++++++++ apparmor.d/profiles-m-r/ouch | 26 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cmus create mode 100644 apparmor.d/profiles-m-r/ouch diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus new file mode 100644 index 000000000..b667d81f0 --- /dev/null +++ b/apparmor.d/profiles-a-f/cmus @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cmus +profile cmus @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/cmus/{,**} r, + /usr/share/terminfo/{,**} r, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/cmus/{,**} rw, + + owner @{run}/user/@{uid}/cmus-socket w, + + /dev/shm/ r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch new file mode 100644 index 000000000..efd796d19 --- /dev/null +++ b/apparmor.d/profiles-m-r/ouch @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ouch +profile ouch @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/.tmp@{rand6}/{,**} rw, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} From 9c9f743e1ea6747e12dd52ef1cbe5325e9ad3279 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Jul 2024 12:12:30 +0100 Subject: [PATCH 05/15] fix: variour small fixes. See #409 --- apparmor.d/groups/bus/ibus-daemon | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++++ apparmor.d/groups/gnome/gio-launch-desktop | 5 +++++ apparmor.d/groups/gnome/gsd-color | 2 ++ apparmor.d/groups/gnome/gsd-keyboard | 2 ++ apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/gnome/gsd-smartcard | 10 +++++++--- apparmor.d/groups/systemd/systemd-sleep-tlp | 1 + apparmor.d/profiles-s-z/usbguard-daemon | 2 +- dists/flags/main.flags | 1 + 10 files changed, 26 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b072bcae9..52707ff63 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib}/{,ibus/}ibus-* rPUx, + @{lib}/ibus-*/ibus-* rPUx, /usr/share/ibus/{,**} r, /usr/share/ibus-table/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 65420a2ee..59ef5a734 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -84,6 +84,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/ r, @{PROC}/*/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 19b33d743..8e6d80f9e 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -3,6 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: Rethink this profile: +# - Access to gio from a profile is handled by child-open-* +# - Direct access should only be needed is some special context and it should not +# require access to that much resources. + abi , include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 5c43cddf4..8d77f6cb2 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -21,6 +21,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index c87d6c9be..d621a43ae 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 096839994..2c21bc4fd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -30,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + network inet stream, network netlink raw, signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index c72c9a8eb..b0ff24b58 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,13 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, + /etc/tpm2-tss/* r, /var/tmp/ r, /tmp/ r, + owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, + + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 1e7d3fe34..03fb69356 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -12,6 +12,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/tlp rPUx, include if exists diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index d6c05f782..674da7ad4 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/usbguard/{,**} r, /etc/usbguard/*.conf rw, - /etc/usbguard/IPCAccessControl.d/{,*} r, owner @{run}/usbguard.pid rwk, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 06eae76b7..53631aaeb 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-portabled complain systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain +systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain systemd-user-sessions complain From a270b7c6d4e379efe849cdedd06032d8069affc3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Jul 2024 12:13:16 +0100 Subject: [PATCH 06/15] fix(tunable): username can have uppercase letter. See #409 --- apparmor.d/tunables/multiarch.d/system | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d219c1d4d..f2e7c2563 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -55,8 +55,8 @@ @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} # Username & group valid characters -@{u}=[a-z0-9_] -@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} +@{u}=[a-zA-Z0-9_] +@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} @{group}=@{user} # Shortcut for PCI device From 68da315ac23f03e98a4129b81a192e7b9b89844d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Jul 2024 12:34:12 +0100 Subject: [PATCH 07/15] fix(profile): minor fixes. see #410 --- apparmor.d/groups/gpg/gpg | 6 +++--- apparmor.d/profiles-a-f/btrfs | 1 + apparmor.d/profiles-a-f/dunstify | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/wmctrl | 1 + apparmor.d/profiles-s-z/xsel | 4 +--- dists/ignore/main.ignore | 1 + 7 files changed, 10 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index c108215fa..9d23622d2 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -44,9 +44,9 @@ profile gpg @{exec_path} { owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, #aa:only pacman - owner /etc/pacman.d/gnupg/gpg.conf r, - owner /etc/pacman.d/gnupg/pubring.gpg r, - owner /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/gpg.conf r, + /etc/pacman.d/gnupg/pubring.gpg r, + /etc/pacman.d/gnupg/trustdb.gpg r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f056d12ca..45e50da9c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -25,6 +25,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /boot/ r, + /home/ r, /.snapshots/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index 3a8f16c2f..42a8be4ad 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -13,6 +13,8 @@ profile dunstify @{exec_path} { @{exec_path} mr, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f166e0fd0..b37172246 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -45,7 +45,6 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, @@ -58,6 +57,7 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, + /etc/cron.{hourly,daily,weekly,monthly}/snapper rPUx, /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index 8d99da352..47a17669d 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/wmctrl profile wmctrl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 949aa19f7..5f97c83f3 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -11,6 +11,7 @@ include profile xsel @{exec_path} { include include + include @{exec_path} mr, @@ -18,9 +19,6 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/xsel.log rw, - owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth-@{int}-_[0-9] r, - # file_inherit owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 0e89a76c5..fe61aaf2f 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -14,6 +14,7 @@ code-wrapper man # Work in progress profiles +dunst plasma-discover steam steam-fossilize From 85ccc46e44b7903cc9dd46edd5dc97e84884a8db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Jul 2024 18:08:45 +0100 Subject: [PATCH 08/15] feat(profile): cleanup mount dir access. see #412 --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/freedesktop/xdg-document-portal | 8 +++++--- apparmor.d/profiles-s-z/totem | 5 +++++ apparmor.d/profiles-s-z/vlc | 3 +++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index fecaa51b7..89135381c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -72,6 +72,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, owner @{HOME}/*/{,**} rw, + owner @{MOUNTS}/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 86633e72f..2735c8633 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -42,7 +42,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { / r, owner /.flatpak-info r, - owner @{HOME}/** r, + owner @{HOME}/ r, + owner @{HOME}/*/{,**} rw, + owner @{MOUNTS}/ r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, @@ -54,8 +56,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - /dev/fuse rw, - owner /dev/tty@{int} rw, + /dev/fuse rw, + owner /dev/tty@{int} rw, profile fusermount { include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index c75cea7ff..ef11ad786 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -35,6 +35,9 @@ profile totem @{exec_path} flags=(attach_disconnected) { /usr/share/grilo-plugins/{,**} r, /usr/share/thumbnailers/{,**} r, + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_torrents_dirs}/{,**} rw, @@ -50,6 +53,8 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/@{tid}/comm w, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 5d113ba3b..b5ea8b272 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -41,6 +41,7 @@ profile vlc @{exec_path} { @{exec_path} mrix, + @{open_path} rPx -> child-open-help, @{bin}/xdg-screensaver rPx, /usr/share/vlc/{,**} r, @@ -48,6 +49,8 @@ profile vlc @{exec_path} { /etc/fstab r, owner @{HOME}/ r, + owner @{MOUNTS}/ r, + owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_torrents_dirs}/{,**} rw, From 56f3332163dbdb8ebb93df0e1efcc3a3eee2e051 Mon Sep 17 00:00:00 2001 From: odomingao Date: Mon, 15 Jul 2024 18:56:55 -0300 Subject: [PATCH 09/15] add profiles for waybar and some hypr utilities (#414) --- apparmor.d/groups/hypr/hyprctl | 21 ++++++++++++++++ apparmor.d/groups/hypr/hyprlock | 37 ++++++++++++++++++++++++++++ apparmor.d/groups/hypr/hyprpaper | 31 +++++++++++++++++++++++ apparmor.d/groups/hypr/hyprpicker | 25 +++++++++++++++++++ apparmor.d/groups/hypr/hyprpm | 41 +++++++++++++++++++++++++++++++ apparmor.d/profiles-s-z/waybar | 34 +++++++++++++++++++++++++ 6 files changed, 189 insertions(+) create mode 100644 apparmor.d/groups/hypr/hyprctl create mode 100644 apparmor.d/groups/hypr/hyprlock create mode 100644 apparmor.d/groups/hypr/hyprpaper create mode 100644 apparmor.d/groups/hypr/hyprpicker create mode 100644 apparmor.d/groups/hypr/hyprpm create mode 100644 apparmor.d/profiles-s-z/waybar diff --git a/apparmor.d/groups/hypr/hyprctl b/apparmor.d/groups/hypr/hyprctl new file mode 100644 index 000000000..4c8a72110 --- /dev/null +++ b/apparmor.d/groups/hypr/hyprctl @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprctl + +profile hyprctl @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hypr/hyprlock b/apparmor.d/groups/hypr/hyprlock new file mode 100644 index 000000000..9f400c90b --- /dev/null +++ b/apparmor.d/groups/hypr/hyprlock @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprlock + +profile hyprlock @{exec_path} { + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/security/faillock.conf r, + /etc/shells r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, + owner @{user_pictures_dirs}/** r, + + owner @{user_config_dirs}/hypr/hyprlock.conf r, + + owner @{run}/faillock/@{user} rwk, + + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/hypr/hyprpaper b/apparmor.d/groups/hypr/hyprpaper new file mode 100644 index 000000000..616ff6c57 --- /dev/null +++ b/apparmor.d/groups/hypr/hyprpaper @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpaper + +profile hyprpaper @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /usr/share/icons/** r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, + + owner @{user_config_dirs}/hypr/hyprpaper.conf r, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/.hyprpaper* rw, + owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w, + owner @{run}/user/@{uid}/hyprpaper.lock rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/hypr/hyprpicker b/apparmor.d/groups/hypr/hyprpicker new file mode 100644 index 000000000..bbeb59a71 --- /dev/null +++ b/apparmor.d/groups/hypr/hyprpicker @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpicker + +profile hyprpicker @{exec_path} { + include + + @{exec_path} mr, + @{bin}/wl-copy Px, + + /usr/share/icons/** r, + + owner @{run}/user/@{uid}/.hyprpicker* rw, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hypr/hyprpm b/apparmor.d/groups/hypr/hyprpm new file mode 100644 index 000000000..77c6bfe69 --- /dev/null +++ b/apparmor.d/groups/hypr/hyprpm @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpm + +profile hyprpm @{exec_path} { + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{bin}/** rix, + @{lib}/gcc/** rix, + @{lib}/git-core/** rix, + + /usr/include/** r, + /usr/share/git-core/** r, + /usr/share/pkgconfig/** r, + + owner @{HOME}/.gitconfig r, + + owner @{user_share_dirs}/hyprpm/{,**} rw, + + /tmp/hyprpm/** rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar new file mode 100644 index 000000000..b740485fd --- /dev/null +++ b/apparmor.d/profiles-s-z/waybar @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/waybar + +profile waybar @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{bin}/** rPUx, + @{user_bin_dirs}/** rPUx, + + owner @{user_config_dirs}/waybar/{,**} r, + + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From 3f16003ff9ec858447342643262f53394167508e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:01:04 +0100 Subject: [PATCH 10/15] build: ensure hyprland profiles are in complain mode. --- dists/flags/main.flags | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 53631aaeb..3239cd47b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -173,6 +173,11 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain +hyprctl complain +hyprlock complain +hyprpaper attach_disconnected,complain +hyprpicker complain +hyprpm complain ibus-engine-table complain ibus-memconf attach_disconnected,complain im-launch complain @@ -376,6 +381,7 @@ virtnetworkd complain,attach_disconnected virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain +waybar attach_disconnected,complain wg complain wg-quick complain wsdd complain From 8ef9a1824295fccba3fecadbf0b9fd1125c0f754 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:02:54 +0100 Subject: [PATCH 11/15] refractor: hypr group -> hyprland --- apparmor.d/groups/{hypr => hyprland}/hyprctl | 1 - apparmor.d/groups/{hypr => hyprland}/hyprlock | 1 - apparmor.d/groups/{hypr => hyprland}/hyprpaper | 1 - apparmor.d/groups/{hypr => hyprland}/hyprpicker | 1 - apparmor.d/groups/{hypr => hyprland}/hyprpm | 1 - 5 files changed, 5 deletions(-) rename apparmor.d/groups/{hypr => hyprland}/hyprctl (99%) rename apparmor.d/groups/{hypr => hyprland}/hyprlock (99%) rename apparmor.d/groups/{hypr => hyprland}/hyprpaper (99%) rename apparmor.d/groups/{hypr => hyprland}/hyprpicker (99%) rename apparmor.d/groups/{hypr => hyprland}/hyprpm (99%) diff --git a/apparmor.d/groups/hypr/hyprctl b/apparmor.d/groups/hyprland/hyprctl similarity index 99% rename from apparmor.d/groups/hypr/hyprctl rename to apparmor.d/groups/hyprland/hyprctl index 4c8a72110..f7d41d484 100644 --- a/apparmor.d/groups/hypr/hyprctl +++ b/apparmor.d/groups/hyprland/hyprctl @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/hyprctl - profile hyprctl @{exec_path} { include include diff --git a/apparmor.d/groups/hypr/hyprlock b/apparmor.d/groups/hyprland/hyprlock similarity index 99% rename from apparmor.d/groups/hypr/hyprlock rename to apparmor.d/groups/hyprland/hyprlock index 9f400c90b..86cc79570 100644 --- a/apparmor.d/groups/hypr/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/hyprlock - profile hyprlock @{exec_path} { include include diff --git a/apparmor.d/groups/hypr/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper similarity index 99% rename from apparmor.d/groups/hypr/hyprpaper rename to apparmor.d/groups/hyprland/hyprpaper index 616ff6c57..1005ee8f1 100644 --- a/apparmor.d/groups/hypr/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/hyprpaper - profile hyprpaper @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/hypr/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker similarity index 99% rename from apparmor.d/groups/hypr/hyprpicker rename to apparmor.d/groups/hyprland/hyprpicker index bbeb59a71..d9af7f884 100644 --- a/apparmor.d/groups/hypr/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/hyprpicker - profile hyprpicker @{exec_path} { include diff --git a/apparmor.d/groups/hypr/hyprpm b/apparmor.d/groups/hyprland/hyprpm similarity index 99% rename from apparmor.d/groups/hypr/hyprpm rename to apparmor.d/groups/hyprland/hyprpm index 77c6bfe69..5f5ce4c66 100644 --- a/apparmor.d/groups/hypr/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/hyprpm - profile hyprpm @{exec_path} { include include From 9b2470462f09766760fee6436927a6df3b97c30d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:04:35 +0100 Subject: [PATCH 12/15] build: ensure @{exec_path} is present in profile att. --- pkg/prebuild/builder/userspace.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 9925734c3..8a7df0bc9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -5,6 +5,7 @@ package builder import ( + "fmt" "regexp" "strings" @@ -12,8 +13,10 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) +const tokATTACHMENT = "@{exec_path}" + var ( - regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) + regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`) ) type Userspace struct { @@ -41,13 +44,18 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { if _, err := f.Parse(profile); err != nil { return "", err } + if len(f.GetDefaultProfile().Attachments) > 0 && + f.GetDefaultProfile().Attachments[0] != tokATTACHMENT { + return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT) + } if err := f.Resolve(); err != nil { return "", err } - att := f.GetDefaultProfile().GetAttachments() + matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { - strheader := strings.Replace(matches[0], "@{exec_path}", att, -1) + att := f.GetDefaultProfile().GetAttachments() + strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil From 6cd01064aee554acd33365e88ce3f00f414e53b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:12:39 +0100 Subject: [PATCH 13/15] feat(profile): general update. --- apparmor.d/abstractions/app/sudo | 1 + apparmor.d/abstractions/common/systemd | 2 +- apparmor.d/abstractions/gnome-strict | 2 ++ apparmor.d/groups/_full/default | 5 +---- .../groups/browsers/firefox-crashreporter | 3 +++ .../groups/children/child-modprobe-nvidia | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/session-migration | 2 ++ apparmor.d/groups/pacman/aurpublish | 21 ++++++++++++++++--- apparmor.d/groups/systemd/systemd-cryptsetup | 1 + apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/apport-gtk | 8 +++++-- apparmor.d/profiles-a-f/agetty | 1 + apparmor.d/profiles-a-f/dino-im | 5 ++--- apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-a-f/fwupd | 3 ++- apparmor.d/profiles-g-l/issue-generator | 2 ++ apparmor.d/profiles-g-l/keepassxc | 1 + apparmor.d/profiles-s-z/snapd | 1 + apparmor.d/profiles-s-z/spice-vdagent | 3 +++ apparmor.d/profiles-s-z/steam-gameoverlayui | 1 + apparmor.d/profiles-s-z/sudo | 2 ++ apparmor.d/profiles-s-z/update-ca-trust | 2 +- apparmor.d/profiles-s-z/waybar | 1 - 27 files changed, 59 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 6fba1adfd..fdd348587 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -41,6 +41,7 @@ / r, /etc/machine-id r, + /var/db/sudo/lectured/ r, owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, owner /var/log/sudo.log wk, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 0ed3a824b..34e9be9d7 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 891e5a573..e9a06e8aa 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,8 @@ member=Introspect peer=(name=:*, label=gnome-shell), + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 8e0a3a535..733d227cb 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -70,11 +70,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{MOUNTS}/** rwl, owner @{HOME}/{,**} rwlk, owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl, - owner @{user_share_dirs}/** rwkl, owner @{tmp}/{,**} rwk, - - owner @{run}/user/@{uid}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rwlk, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index c1afb00e4..8d62a6fbf 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -30,6 +30,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/curl rix, + @{bin}/mv rix, + @{lib_dirs}/minidump-analyzer rPx, @{bin}/mv rix, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index afb48573c..fb91234b0 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -71,7 +71,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, - deny @{HOME}/.steam/** r, + deny @{HOME}/.steam/** r, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 48ac848c1..c5b220145 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, network netlink raw, + network unix stream, signal (receive) set=term peer=gdm, signal (send) set=(hup term) peer=gdm-session, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1dee19713..9a799d444 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -27,6 +27,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + network inet stream, network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 1f82e7fe0..41c9b28af 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -21,6 +21,8 @@ profile session-migration @{exec_path} { owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 8aba909e4..3f46e2fa6 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -29,7 +29,7 @@ profile aurpublish @{exec_path} { @{bin}/date rix, @{bin}/gettext rix, @{bin}/git rPx, - @{bin}/gpg{,2} rPx, + @{bin}/gpg{,2} rCx -> gpg, @{bin}/grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @@ -48,10 +48,9 @@ profile aurpublish @{exec_path} { /etc/makepkg.conf.d/{,**} r, owner @{user_build_dirs}/**/ w, - owner @{user_projects_dirs}/**/ r, + owner @{user_projects_dirs}/** r, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, - owner @{user_projects_dirs}/**/PKGBUILD r, owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, @@ -62,6 +61,22 @@ profile aurpublish @{exec_path} { /dev/tty rw, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_cache_dirs}/makepkg/src/*.asc r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fba766fe8..6ca3e3237 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -12,6 +12,7 @@ profile systemd-cryptsetup @{exec_path} { include include + capability dac_read_search, capability ipc_lock, capability net_admin, capability sys_admin, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 855d0d58c..d5c7b963e 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -63,6 +63,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/linger/ r, @{run}/.#nologin* rw, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/host/container-manager r, @{run}/nologin rw, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 76a7e21ca..8b1351997 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -52,6 +52,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/more rPx -> child-pager, @{bin}/multipath rPx, @{bin}/nfsrahead rix, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/pager rPx -> child-pager, @{bin}/perl rix, @{bin}/setfacl rix, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index a63f38890..0fd5fb7d9 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -51,6 +51,7 @@ profile apport-gtk @{exec_path} { @{bin}/pkexec rPx, # TODO: rCx or something @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, + @{bin}/uname rix, @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, @@ -60,8 +61,8 @@ profile apport-gtk @{exec_path} { /usr/share/apport/general-hooks/*.py r, /etc/apport/{,**} r, - /etc/cloud/cloud.cfg.d/{,**} r, /etc/bash_completion.d/apport_completion r, + /etc/cloud/{,**} r, /etc/cron.daily/apport r, /etc/default/apport r, /etc/gtk-3.0/settings.ini r, @@ -69,13 +70,15 @@ profile apport-gtk @{exec_path} { /etc/logrotate.d/apport r, /etc/xdg/autostart/*.desktop r, - /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, + /var/crash/ rw, + owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/snapd.socket rw, /tmp/[a-z0-9]* rw, @@ -104,6 +107,7 @@ profile apport-gtk @{exec_path} { @{bin}/* r, /usr/share/gcc/python/{,**/}__pycache__/{,**} rw, + /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index c1436f9ad..ec711895d 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -34,6 +34,7 @@ profile agetty @{exec_path} { /etc/os-release r, /usr/etc/login.defs r, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index f06989836..07fba44a5 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -11,10 +11,8 @@ include profile dino-im @{exec_path} { include include + include include - include - include - include include include @@ -46,6 +44,7 @@ profile dino-im @{exec_path} { owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 03fab4ec9..6d836c63d 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -104,7 +104,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner /boot/System.map-* r, - audit owner @{tmp}/tmp.* r, + owner @{tmp}/tmp.@{rand10} r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6355c2ff..c7df958f7 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -23,6 +23,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/xml/iso-codes/{,**} r, + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a2cfea343..474ab630b 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -142,7 +142,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, - owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index a54b024ad..00600b72b 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -26,6 +26,8 @@ profile issue-generator @{exec_path} { @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 20be091cc..f79a3464e 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -74,6 +74,7 @@ profile keepassxc @{exec_path} { owner @{tmp}/keepassxc-*.socket rw, owner @{tmp}/keepassxc.lock rw, owner @{tmp}/keepassxc.socket rw, + owner @{tmp}/runtime-user/ w, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 3892a8ca4..fa5ef1956 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -40,6 +40,7 @@ profile snapd @{exec_path} { network inet dgram, network inet6 dgram, network netlink raw, + network unix stream, mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/, umount /tmp/syscheck-mountpoint-@{int}/, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c2fd27ced..93be9c783 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -41,6 +41,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index bbe2452e2..077e6cf8b 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -18,6 +18,7 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0ba2694bd..6f4e290d6 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -35,6 +35,8 @@ profile sudo @{exec_path} flags=(attach_disconnected) { /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + /etc/default/locale r, + /var/db/sudo/lectured/ r, owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/extrausers/shadow r, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 6e70a0310..8b69cd1f4 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -26,7 +26,7 @@ profile update-ca-trust @{exec_path} { /etc/ca-certificates/extracted/** rw, /etc/ssl/certs/{,*} rw, - /etc/ssl/certs/java/cacerts{,.*} w, + /etc/ssl/certs/java/** rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index b740485fd..d5116b043 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -7,7 +7,6 @@ abi , include @{exec_path} = @{bin}/waybar - profile waybar @{exec_path} flags=(attach_disconnected) { include include From 960135e593c9a2ea16ce5e3af0d63c133594bdcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:18:04 +0100 Subject: [PATCH 14/15] test(build): update userspace unit test. --- pkg/prebuild/builder/core_test.go | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c242259f9..597832b91 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -228,14 +228,8 @@ func TestBuilder_Apply(t *testing.T) { include if exists }`, - want: ` - profile foo /usr/bin/foo { - include - - /usr/bin/foo mr, - - include if exists - }`, + want: "", + wantErr: true, }, } for _, tt := range tests { From cb30dcc4bc874f9745afe145191be5016df3122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Jul 2024 23:47:01 +0100 Subject: [PATCH 15/15] feat(profile): general update. see #416 --- apparmor.d/groups/cron/crontab | 8 ++++---- apparmor.d/groups/gnome/gnome-shell | 7 +++++-- apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/network/dhcpcd | 14 +++----------- apparmor.d/profiles-g-l/git | 2 +- apparmor.d/profiles-m-r/nft | 6 +++--- apparmor.d/profiles-s-z/udisksd | 3 ++- 7 files changed, 21 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index c1fae96e4..3490199a1 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -25,6 +25,7 @@ profile crontab @{exec_path} { @{bin}/vim.* rCx -> editor, /etc/cron.{allow,deny} r, + /etc/pam.d/* r, /var/spool/cron/ r, /var/spool/cron/crontabs/ rw, @@ -32,19 +33,18 @@ profile crontab @{exec_path} { owner @{tmp}/crontab.*/{,crontab} rw, - profile editor { include include capability fsetid, + /etc/cron.{allow,deny} r, + /tmp/ r, owner @{tmp}/crontab.*/crontab rw, - # file_inherit - /etc/cron.{allow,deny} r, - + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5e469e625..4e36f1020 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /.flatpak-info r, /etc/fstab r, /etc/timezone r, + /etc/tpm2-tss/*.json r, /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, @@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.var/app/**/ r, + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, owner @{user_games_dirs}/**.{png,jpg,svg} r, owner @{user_music_dirs}/**.{png,jpg,svg} r, @@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/vlc/**/*.jpg r, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index b0ff24b58..0f04ae120 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,16 +31,16 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, - /etc/tpm2-tss/* r, + /etc/tpm2-tss/* rk, /var/tmp/ r, /tmp/ r, - owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index e1b039ad8..79b7283eb 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, - /var/lib/dhcpcd/*.lease{,6} rw, - /var/lib/dhcpcd/secret rw, - /etc/dhcpcd.conf r, /etc/resolv.conf rw, - @{run}/dhcpcd/{.pid,pid} rwk, - @{run}/dhcpcd/{.sock,sock} w, - @{run}/dhcpcd/*.pid wk, - @{run}/dhcpcd/*.sock w, - @{run}/dhcpcd/hook-state/ rw, - @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, - @{run}/dhcpcd/hook-state/resolv.conf/ rw, - @{run}/dhcpcd/unpriv.sock w, + /var/lib/dhcpcd/** rw, + + @{run}/dhcpcd/** rwk, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index e03479003..ba37f7bcc 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) peer=aurpublish, + signal send peer=aurpublish, @{exec_path} mrix, diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 50ee826cf..1255ca401 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -20,9 +20,9 @@ profile nft @{exec_path} { @{exec_path} mr, - owner /etc/iproute2/** r, - - owner /etc/nftables/**.nft r, + /etc/iproute2/** r, + /etc/nftables.conf r, + /etc/nftables/{,**} r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 365044702..83561941c 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw,