feat(profile): general update.

2023-12-05 20:45:13 +00:00 · 2023-12-05 20:45:13 +00:00 · 319b976beb
commit 319b976beb
parent bf973760fd
47 changed files with 118 additions and 100 deletions
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -39,6 +39,7 @@ profile dpkg-preconfigure @{exec_path} {
  owner /var/cache/debconf/ rw,
  owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
  owner /var/cache/debconf/tmp.ci/ r,
+  owner /var/cache/debconf/tmp.ci/* rix,
  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

  @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -39,6 +39,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,

+  owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,
+
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,

--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@ -30,7 +30,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
  /usr/share/**/icons/**.png r,
  /usr/share/icons/**.png rw,
  /usr/share/icons/*/.xdg-icon-resource-dummy rw,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  owner /tmp/.com.google.Chrome.*/chrome-*.png r,

--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@ -33,7 +33,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  @{bin}/xprop      rPx,
  @{bin}/ktraderclient5 rPx,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  owner @{HOME}/.Xauthority r,
  owner @{user_config_dirs}/mimeapps.list{,.new} rw,
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@ -34,7 +34,7 @@ profile xdg-settings @{exec_path} {
  @{bin}/xdg-mime     rPx,
  @{bin}/xprop        rPx,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /etc/xdg/xfce4/helpers.rc r,
  /etc/machine-id r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -29,6 +29,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  capability sys_resource,
  capability sys_tty_config,

+  network netlink raw,
+
  signal (receive) set=term peer=gdm,
  signal (receive) set=hup peer=@{systemd},
  signal (send) set=hup peer=at-spi*,
@ -45,8 +47,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal (send) set=hup peer=xwayland,
  signal (send) set=term peer=gdm-*-session,

-  network netlink raw,
-
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=*Session
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@ -30,7 +30,7 @@ profile gnome-extensions-app @{exec_path} {

  /usr/share/gnome-shell/org.gnome.Extensions* r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,
  /usr/share/X11/xkb/{,**} r,

  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -73,6 +73,9 @@ profile gnome-terminal-server @{exec_path} {
  /etc/pulse/client.conf.d/{,**} r,
  /etc/shells r,

+  /var/lib/flatpak/exports/share/icons/{,**} r,
+  /var/lib/snapd/desktop/icons/{,**} r,
+
  owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,

  owner @{user_config_dirs}/*xdg-terminals.list* rw,
@ -81,6 +84,8 @@ profile gnome-terminal-server @{exec_path} {
  owner @{run}/user/@{uid}/pulse/ r,
  owner @{run}/user/@{uid}/pulse/native rw,

+  owner /tmp/#@{int} rw,
+
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/cgroup r,

--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -91,10 +91,10 @@ profile gsd-xsettings @{exec_path} {

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,

-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
        @{run}/systemd/sessions/* r,
        @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,

  owner @{PROC}/@{pid}/fd/ r,

@ -108,6 +108,7 @@ profile gsd-xsettings @{exec_path} {

    /etc/X11/Xresources/ r,

+    include if exists <local/gsd-xsettings_run-parts>
  }

  include if exists <local/gsd-xsettings>
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -114,13 +114,13 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /usr/share/nautilus/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/sounds/freedesktop/stereo/*.oga r,
-  /usr/share/terminfo/ r,
+  /usr/share/terminfo/** r,
  /usr/share/thumbnailers/{,**} r,
  /usr/share/tracker*/{,**} r,

  /etc/fstab r,

-  /var/cache/fontconfig/ r,
+  /var/cache/fontconfig/ rw,
  /var/lib/snapd/desktop/icons/{,**} r,

  # Full access to user's data
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -72,7 +72,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
  /etc/default/grub.d/{*,} r,

  /usr/share/grub/{**,} r,
-  /usr/share/terminfo/{,x/xterm-256color} r,
+  /usr/share/terminfo/** r,

  /.zfs/snapshot/*/boot/ r,
  /.zfs/snapshot/*/etc/{machine-id,} r,
--- a/apparmor.d/groups/network/iwctl
+++ b/apparmor.d/groups/network/iwctl
@ -12,7 +12,7 @@ profile iwctl @{exec_path} {

  @{exec_path} mr,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /etc/inputrc r,

--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@ -28,7 +28,7 @@ profile wg-quick @{exec_path} {
  @{bin}/wg                 rPx,
  @{bin}/xtables-nft-multi  rix,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /etc/iproute2/group  r,
  /etc/iproute2/rt_realms r,
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@ -25,7 +25,7 @@ profile arch-audit @{exec_path} {
  
  /etc/arch-audit/settings.toml r,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /var/lib/pacman/local/{,**} r,

--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -43,7 +43,7 @@ profile aurpublish @{exec_path} {
  @{bin}/wc          rix,

  /usr/share/makepkg/{,**} r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /etc/makepkg.conf r,

--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -85,7 +85,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /usr/share/plymouth/*.png r,
  /usr/share/plymouth/plymouthd.defaults r,
  /usr/share/plymouth/themes/{,**} r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  # Can copy any program to the initframs
  /{usr/,}{local/,}{s,}bin/ r,
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@ -29,7 +29,7 @@ profile paccache @{exec_path} {
  @{bin}/xargs        rix,

  /usr/share/makepkg/util/*.sh r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /var/cache/pacman/pkg/{,*} rw,

--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -31,7 +31,7 @@ profile pacman-key @{exec_path} {

  /usr/share/makepkg/{,**} r,
  /usr/share/pacman/keyrings/{,*} r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/** r,

  /etc/pacman.d/gnupg/gpg.conf r,

--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -30,7 +30,10 @@ profile ssh @{exec_path} {
  @{etc_ro}/ssh/ssh_config r,
  @{etc_ro}/ssh/sshd_config r,
  @{etc_ro}/ssh/sshd_config.d/{,*} r,
-
+  /etc/machine-id r,
+  /etc/ssh/ssh_config r,
+  /etc/ssh/ssh_config.d/{,*} r,
+  
  owner @{HOME}/@{XDG_SSH_DIR}/ r,
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
  owner @{HOME}/@{XDG_SSH_DIR}/config r,
@ -40,17 +43,12 @@ profile ssh @{exec_path} {
  owner @{user_projects_dirs}/**/ssh/{,*} r,
  owner @{user_projects_dirs}/**/config r,

-  /etc/ssh/ssh_config r,
-  /etc/ssh/ssh_config.d/{,*} r,
-  # Needed to work for systemd-homed users
-  /etc/machine-id r,
-  @{run}/systemd/userdb/ r,
-  
+  owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
+
  owner @{run}/user/@{uid}/keyring/ssh rw,
+
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/fd/ r,

-  owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
-
  include if exists <local/ssh>
 }
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@ -61,7 +61,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
    /usr/share/gcc/** r,
    /usr/share/gdb/{,**} r,
    /usr/share/glib-2.0/gdb/{,**} r,
-    /usr/share/terminfo/x/xterm-256color r,
+    /usr/share/terminfo/** r,

    /etc/inputrc r,
    /etc/gdb/** r,
--- a/apparmor.d/groups/systemd/systemd-shutdown
+++ b/apparmor.d/groups/systemd/systemd-shutdown
@ -25,7 +25,6 @@ profile systemd-shutdown @{exec_path} {
        @{PROC}/ r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/cmdline r,
-        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/sys/kernel/core_pattern w,
  owner @{PROC}/sys/kernel/printk rw,
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /usr/share/apport/apport 
-profile apport @{exec_path} {
+profile apport @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/nameservice-strict>
@ -15,7 +15,11 @@ profile apport @{exec_path} {
  include <abstractions/python>

  capability fsetid,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,

+  ptrace (read) peer=gnome-shell,
  ptrace (read) peer=snap.cups.cupsd,

  @{exec_path} mr,
@ -27,11 +31,11 @@ profile apport @{exec_path} {

  @{run}/apport.lock rwk,

-        @{PROC}/sys/fs/suid_dumpable w,
-        @{PROC}/sys/kernel/core_pattern r,
-        @{PROC}/sys/kernel/core_pattern w,
-        @{PROC}/sys/kernel/core_pipe_limit w,
-  owner @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/sys/fs/suid_dumpable w,
+  @{PROC}/sys/kernel/core_pattern r,
+  @{PROC}/sys/kernel/core_pattern w,
+  @{PROC}/sys/kernel/core_pipe_limit w,

  include if exists <local/apport>
 }
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@ -14,23 +14,25 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
  capability sys_ptrace,
  capability syslog,

-  ptrace (read),
-
  network inet dgram,
  network inet6 dgram,

+  # mqueue type=posix /,
+
+  ptrace (read),
+
  @{exec_path} mr,

  @{bin}/{,ba,da}sh  rix,
  @{bin}/fuser       rix,

-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/net/unix r,
-  owner @{PROC}/@{pid}/stat r,
        @{PROC}/ r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/maps r,
        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/net/unix r,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/package-system-locked>
 }