diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 523a4d616..a3b8998b6 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,7 +26,7 @@ include include include - include + include include # userns, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index f6b80bc29..b79e78eae 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,29 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction gives read access on all defined user directories. It should -# only be used if access to **ALL** folders is required. +# Warning: This abstraction gives unrestricted read access on all non hidden user directories. - owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/ r, + owner @{MOUNTS}/ r, - owner @{user_books_dirs}/{,**} r, - owner @{user_documents_dirs}/{,**} r, - owner @{user_download_dirs}/{,**} r, - owner @{user_games_dirs}/{,**} r, - owner @{user_music_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_projects_dirs}/{,**} r, - owner @{user_publicshare_dirs}/{,**} r, - owner @{user_sync_dirs}/{,**} r, - owner @{user_templates_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_videos_dirs}/{,**} r, - owner @{user_vm_dirs}/{,**} r, - owner @{user_work_dirs}/{,**} r, + owner @{HOME}/[^.]** r, + owner @{MOUNTS}/[^.]** r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict new file mode 100644 index 000000000..9eb1262d0 --- /dev/null +++ b/apparmor.d/abstractions/user-read-strict @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction gives read access on all defined user directories. It should +# only be used if access to **ALL** folders is required. + + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_download_dirs}/{,**} r, + owner @{user_games_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + owner @{user_vm_dirs}/{,**} r, + owner @{user_work_dirs}/{,**} r, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict new file mode 100644 index 000000000..51fe3e08d --- /dev/null +++ b/apparmor.d/abstractions/user-write-strict @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction gives write only access on all defined user directories. It should +# only be used if access to **ALL** folders is required. + + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} wl, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} wl, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} wl, + + owner @{user_books_dirs}/{,**} wl, + owner @{user_documents_dirs}/{,**} wl, + owner @{user_download_dirs}/{,**} wl, + owner @{user_games_dirs}/{,**} wl, + owner @{user_music_dirs}/{,**} wl, + owner @{user_pictures_dirs}/{,**} wl, + owner @{user_projects_dirs}/{,**} wl, + owner @{user_publicshare_dirs}/{,**} wl, + owner @{user_sync_dirs}/{,**} wl, + owner @{user_templates_dirs}/{,**} wl, + owner @{user_torrents_dirs}/{,**} wl, + owner @{user_videos_dirs}/{,**} wl, + owner @{user_vm_dirs}/{,**} wl, + owner @{user_work_dirs}/{,**} wl, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 5bcab6f3f..8f73b06e6 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -2,15 +2,10 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, +# Warning: This abstraction gives unrestricted write access on all non hidden user directories. - owner @{user_books_dirs}/{,**} rwl, - owner @{user_documents_dirs}/{,**} rwl, - owner @{user_games_dirs}/{,**} rwl, - owner @{user_music_dirs}/{,**} rwl, - owner @{user_pictures_dirs}/{,**} rwl, - owner @{user_projects_dirs}/{,**} rwl, - owner @{user_videos_dirs}/{,**} rwl, - owner @{user_vm_dirs}/{,**} rwl, - owner @{user_work_dirs}/{,**} rwl, + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{HOME}/[^.]** wl, + owner @{MOUNTS}/[^.]** wl, diff --git a/apparmor.d/groups/apps/imv-wayland b/apparmor.d/groups/apps/imv-wayland index bd727a315..4186d0d75 100644 --- a/apparmor.d/groups/apps/imv-wayland +++ b/apparmor.d/groups/apps/imv-wayland @@ -13,7 +13,7 @@ profile imv @{exec_path} { include include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7ae1e17cf..ab9fc0f69 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -34,7 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include - include + include # userns, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index cbf29a431..03d3bb357 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -26,7 +26,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + include include unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6c658ddf8..bdc95e7e3 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -14,6 +14,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include signal (send) set=(kill) peer=loupe//bwrap, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index adf3f672b..2be51ff54 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -13,7 +13,7 @@ profile gpg @{exec_path} { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 73cc56713..4e82b0aa5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -14,8 +14,8 @@ profile gvfsd-dav @{exec_path} { include include include - include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ea4202859..7516555b9 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -14,7 +14,7 @@ profile kactivitymanagerd @{exec_path} { include include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 5bb7f910a..fa00bcc18 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -15,8 +15,8 @@ profile okular @{exec_path} { include include include - include - include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index baa5f33a6..53bb3851b 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -33,7 +33,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include include - include + include # userns, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 4729bc3aa..3122576c5 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -18,8 +18,8 @@ profile evince @{exec_path} { include include include - include - include + include + include # also denies network mounts deny network inet, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 80eef8541..665106109 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -15,9 +15,11 @@ profile file-roller @{exec_path} { include include include + include include include - include + include + include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 0bc43c8ee..3b18cb2bc 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -13,7 +13,7 @@ profile mutt @{exec_path} { include include include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index b0165538b..19f38bc90 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -18,7 +18,7 @@ profile wireshark @{exec_path} { include include include - include + include network inet dgram, network inet6 dgram,