From 499b9e785d4f6ed259d47e5c42d336717b604c19 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:27:19 +0000 Subject: [PATCH 01/19] feat(full): update full system structure. - Aims to be compatible with full-policy profile - Required by systemd --- apparmor.d/groups/_full/init | 15 --- apparmor.d/groups/_full/systemd | 134 +------------------------- apparmor.d/groups/_full/systemd-user | 138 +++++++++++++++++++++++++++ 3 files changed, 143 insertions(+), 144 deletions(-) delete mode 100644 apparmor.d/groups/_full/init create mode 100644 apparmor.d/groups/_full/systemd-user diff --git a/apparmor.d/groups/_full/init b/apparmor.d/groups/_full/init deleted file mode 100644 index d6248b2c5..000000000 --- a/apparmor.d/groups/_full/init +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Full system policy profile. - -# /sbin/init (PID 1) is a link to /usr/lib/systemd/systemd - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. -# See https://apparmor.pujol.io/development/structure/#full-system-policy -# for more information. - -# Distributions and other programs can add rules in the usr/init.d directory - diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eeb1181f3..ddf859ad5 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -2,137 +2,13 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This is not /sbin/init (PID 1) but systemd --user +# Main profile for full system policy. + +# Profile for systemd (PID 1), it does not specify an attachment path because +# it is direclty used by systemd. # Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. -# See https://apparmor.pujol.io/development/structure/#full-system-policy -# for more information. +# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy. # Distributions and other programs can add rules in the usr/systemd.d directory -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd -profile systemd @{lib}/systemd/systemd flags=(complain) { - include - include - include - include - - network netlink raw, - - ptrace (read), - - signal (send) set=(term, cont, kill), - - @{exec_path} mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/systemctl rCx -> systemctl, - - @{lib}/systemd/user-environment-generators/* rPx, - @{lib}/systemd/user-environment-generators/* rPx, - @{lib}/systemd/user-generators/* rPx, - - # Server - @{lib}/openssh/agent-launch rPx, - - # Dbus - @{bin}/dbus-daemon rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - - # Desktop - @{bin}/xdg-user-dirs-update rPx, - @{lib}/xdg-desktop-portal* rPx, - @{lib}/xdg-document-portal rPx, - @{lib}/xdg-permission-store rPx, - - # Audio - @{bin}/pipewire rux, # FIXME: no new privs - @{bin}/pipewire-pulse rux, # FIXME: no new privs - @{bin}/pulseaudio rux, # FIXME: no new privs - @{bin}/wireplumber rux, # FIXME: no new privs - - # Gnome - @{bin}/gjs rPx, - @{bin}/gnome-keyring-daemon rPx, - @{bin}/gnome-shell rPx, - @{bin}/gsettings rPx, - @{lib}/{,dconf/}dconf-service rPx, - @{lib}/dconf/dconf-service rPx, - @{lib}/evolution-addressbook-factory rPx, - @{lib}/evolution-calendar-factory rPx, - @{lib}/evolution-source-registry rPx, - @{lib}/gnome-session-binary rPx, - @{lib}/gnome-session-ctl rPx, - @{lib}/gnome-terminal-server rPx, - @{lib}/goa-* rPx, - @{lib}/gsd-* rPx, - @{lib}/gvfs-* rPx, - @{lib}/gvfs/gvfs-* rPx, - @{lib}/gvfs/gvfsd* rPx, - @{lib}/gvfsd* rPx, - @{lib}/tracker-extract-* rPx, - @{lib}/tracker-miner-* rPx, - - # Ubuntu - @{bin}/snap rPx, - - /etc/systemd/user.conf r, - /etc/systemd/user.conf.d/{,**} r, - /etc/systemd/user/{,**} r, - - /usr/ r, - - owner @{user_config_dirs}/systemd/user/{,**} r, - - owner @{run}/user/@{uid}/{,*/,*} rw, - owner @{run}/user/@{uid}/*/* rw, - owner @{run}/user/@{uid}/systemd/{,**} rw, - - @{run}/mount/utab r, - @{run}/systemd/notify w, - @{run}/udev/data/* r, - @{run}/udev/tags/systemd/ r, - - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/cgroup r, - @{PROC}/cmdline r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pids}/attr/apparmor/exec w, - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - profile systemctl { - include - - @{bin}/systemctl mr, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pids}/status r, - - include if exists - include if exists - } - - include if exists - include if exists -} diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user new file mode 100644 index 000000000..1accc54d8 --- /dev/null +++ b/apparmor.d/groups/_full/systemd-user @@ -0,0 +1,138 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for 'systemd --user' (not PID 1), it does not specify an attachment +# path because it is intended to be used only via "Px -> systemd-user" exec +# transitions from the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy. + +# Distributions and other programs can add rules in the usr/systemd-user.d directory + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd +profile systemd-user flags=(complain) { + include + include + include + include + + network netlink raw, + + ptrace (read), + + signal (send) set=(term, cont, kill), + + @{exec_path} mr, + + @{bin}/{,ba,da}sh rix, + @{bin}/systemctl rCx -> systemctl, + + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-generators/* rPx, + + # Server + @{lib}/openssh/agent-launch rPx, + + # Dbus + @{bin}/dbus-daemon rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + + # Desktop + @{bin}/xdg-user-dirs-update rPx, + @{lib}/xdg-desktop-portal* rPx, + @{lib}/xdg-document-portal rPx, + @{lib}/xdg-permission-store rPx, + + # Audio + @{bin}/pipewire rux, # FIXME: no new privs + @{bin}/pipewire-pulse rux, # FIXME: no new privs + @{bin}/pulseaudio rux, # FIXME: no new privs + @{bin}/wireplumber rux, # FIXME: no new privs + + # Gnome + @{bin}/gjs rPx, + @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-shell rPx, + @{bin}/gsettings rPx, + @{lib}/{,dconf/}dconf-service rPx, + @{lib}/dconf/dconf-service rPx, + @{lib}/evolution-addressbook-factory rPx, + @{lib}/evolution-calendar-factory rPx, + @{lib}/evolution-source-registry rPx, + @{lib}/gnome-session-binary rPx, + @{lib}/gnome-session-ctl rPx, + @{lib}/gnome-terminal-server rPx, + @{lib}/goa-* rPx, + @{lib}/gsd-* rPx, + @{lib}/gvfs-* rPx, + @{lib}/gvfs/gvfs-* rPx, + @{lib}/gvfs/gvfsd* rPx, + @{lib}/gvfsd* rPx, + @{lib}/tracker-extract-* rPx, + @{lib}/tracker-miner-* rPx, + + # Ubuntu + @{bin}/snap rPx, + + /etc/systemd/user.conf r, + /etc/systemd/user.conf.d/{,**} r, + /etc/systemd/user/{,**} r, + + /usr/ r, + + owner @{user_config_dirs}/systemd/user/{,**} r, + + owner @{run}/user/@{uid}/{,*/,*} rw, + owner @{run}/user/@{uid}/*/* rw, + owner @{run}/user/@{uid}/systemd/{,**} rw, + + @{run}/mount/utab r, + @{run}/systemd/notify w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pids}/attr/apparmor/exec w, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/oom_score_adj rw, + + profile systemctl { + include + + @{bin}/systemctl mr, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pids}/status r, + + include if exists + include if exists + } + + include if exists + include if exists +} From b49eb4c41610e169364a48fb2923037e4e653dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:28:33 +0000 Subject: [PATCH 02/19] doc: add link to the ubuntu summit talk. --- README.md | 13 ++++++++----- docs/index.md | 8 ++++++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index c291a790f..db358da86 100644 --- a/README.md +++ b/README.md @@ -34,13 +34,13 @@ most Linux based applications and processes. * Ubuntu 22.04 * Debian 12 * OpenSUSE Tumbleweed -- Support all major desktop environments: +- Support major desktop environments: * Currently only Gnome - Fully tested (Work in progress) -> This project is originaly based on the work from [Morfikov][upstream] and aims -> to extend it to more Linux distributions and desktop environements. +> This project is originally based on the work from [Morfikov][upstream] and aims +> to extend it to more Linux distributions and desktop environments. ## Concepts @@ -63,9 +63,12 @@ bubblewrap, toolbox...). This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users. -**Presentation** +**Presentations** -- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin)) +Building large set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))* ## Installation diff --git a/docs/index.md b/docs/index.md index b08a7fd2d..c727175f6 100644 --- a/docs/index.md +++ b/docs/index.md @@ -37,6 +37,10 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. * Currently only :material-gnome: Gnome - Fully tested (Work in progress) -**Presentation** +**Presentations** + +Building large set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))* -- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin)) \ No newline at end of file From ee658c41a6e68aeadafbe963d82d7d7c4f3cc197 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:29:34 +0000 Subject: [PATCH 03/19] refractor(profiles): improve child profile structure. --- apparmor.d/groups/children/child-dpkg | 5 +++-- apparmor.d/groups/children/child-dpkg-divert | 5 +++-- apparmor.d/groups/children/child-open | 8 +++----- apparmor.d/groups/children/child-pager | 6 ++---- apparmor.d/groups/children/child-systemctl | 4 ++-- 5 files changed, 13 insertions(+), 15 deletions(-) diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index e3a251629..97af4a25a 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -12,7 +13,7 @@ abi , include -# Do not attach to @{bin}/dpkg by default +@{exec_path} = @{bin}/dpkg profile child-dpkg { include include @@ -21,7 +22,7 @@ profile child-dpkg { capability dac_read_search, capability setgid, - @{bin}/dpkg mr, + @{exec_path} mr, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index ebcc6ae31..deb355149 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -12,11 +13,11 @@ abi , include -# Do not attach to @{bin}/dpkg-divert by default +@{exec_path} = @{bin}/dpkg-divert profile child-dpkg-divert { include - @{bin}/dpkg-divert mr, + @{exec_path} mr, /var/lib/dpkg/arch r, /var/lib/dpkg/status r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index b0ff2d7ee..f7ffc320f 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -16,7 +16,8 @@ abi , include -# App allowed to open +@{exec_path} = @{bin}/exo-open @{bin}/xdg-open +@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop profile child-open { include include @@ -24,10 +25,7 @@ profile child-open { include include - @{bin}/exo-open mr, - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{exec_path} mrix, @{bin}/{,ba,da}sh rix, @{bin}/{,m,g}awk rix, diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index 0489a612b..1326cb8fd 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -13,7 +13,7 @@ abi , include -# Do not attach to @{bin}/pager by default +@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more profile child-pager { include include @@ -24,9 +24,7 @@ profile child-pager { signal (receive) set=(stop, cont, term, kill), @{bin}/ r, - @{bin}/pager mr, - @{bin}/less mr, - @{bin}/more mr, + @{exec_path} mr, @{system_share_dirs}/terminfo/{,**} r, diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 92c321043..fd599740b 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -13,7 +13,7 @@ abi , include -# Do not attach to @{bin}/systemctl by default +@{exec_path} = @{bin}/systemctl profile child-systemctl flags=(attach_disconnected) { include include @@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) { interface=org.freedesktop.systemd[0-9].Manager member=GetUnitFileState, - @{bin}/systemctl mr, + @{exec_path} mr, /etc/machine-id r, /etc/systemd/user/{,**} rwl, From 758991f67b3aa6787f37005ff89fe3240c2733d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:31:45 +0000 Subject: [PATCH 04/19] feat(profiles): general update. --- apparmor.d/groups/gnome/gnome-disk-image-mounter | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 1 + apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/systemd/systemd-journald | 5 ++++- apparmor.d/groups/ubuntu/ubuntu-report | 5 +++++ apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 + apparmor.d/profiles-a-f/aa-notify | 2 +- apparmor.d/profiles-a-f/cctk | 3 +++ apparmor.d/profiles-g-l/install-info | 1 + apparmor.d/profiles-s-z/s3fs | 2 ++ 10 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 1d54d4fc9..68e2e74d1 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,6 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index ff3d774b2..4f3fdfd19 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -60,6 +60,7 @@ profile gvfsd-fuse @{exec_path} { /dev/fuse rw, + include if exists } include if exists diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 1014c2eb6..3b5b79ad7 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -38,7 +38,7 @@ profile aurpublish @{exec_path} { @{bin}/mv rix, @{bin}/nproc rix, @{bin}/rm rix, - @{bin}/sha512sum rix, + @{bin}/sha*sum rix, @{bin}/tput rix, @{bin}/wc rix, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index f3aa69db7..b168c5f4c 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -14,8 +14,11 @@ profile systemd-journald @{exec_path} { include capability audit_control, + capability audit_read, + capability chown, + capability dac_override, capability dac_read_search, - capability kill, + capability fowner, capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index b95ac50f0..1c648152e 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -12,6 +12,11 @@ profile ubuntu-report @{exec_path} { include include + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index c9f3ce12d..846110027 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -47,6 +47,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 6d742cb56..5f68dd216 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/_@{c}@{rand6} rw, + owner /tmp/*@{rand6} rw, owner /tmp/apparmor-bugreport-*.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 6bb31c6c9..31789330f 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -12,6 +12,7 @@ profile cctk @{exec_path} { include capability mknod, + capability sys_admin, capability sys_rawio, @{exec_path} mr, @@ -19,6 +20,8 @@ profile cctk @{exec_path} { @{lib}/ r, /opt/dell/dcc/*.so* mr, /opt/dell/srvadmin/{,**} r, + /opt/dell/srvadmin/lib64/*.so* rm, + /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index b1ba96467..a98d64f7a 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -20,6 +20,7 @@ profile install-info @{exec_path} { /usr/share/info/{,**} r, /usr/share/info/dir rw, + /usr/share/info/dir-@{rand6} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index e9c60aeac..ee5619002 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -65,6 +65,8 @@ profile s3fs @{exec_path} { @{PROC}/@{pids}/mounts r, /dev/fuse rw, + + include if exists } include if exists From 18da36238e30e745dbf69bc6e0a61a20dd03651f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 20:51:34 +0000 Subject: [PATCH 05/19] build: add some flags definition. --- dists/flags/main.flags | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index f23518dce..5bb791ff9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,6 +1,7 @@ # Common profile flags definition for all distributions # One profile by line using the format: ' ' +aa-load complain acpid attach_disconnected,complain agetty complain akonadi_akonotes_resource complain @@ -143,6 +144,7 @@ gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain gsettings complain +gvfs-udisks2-volume-monitor attach_disconnected,complain gvfsd-dav complain hostnamectl complain ibus-engine-table complain @@ -213,6 +215,7 @@ nvidia-persistenced complain os-prober attach_disconnected,complain packagekitd attach_disconnected,complain pass-import complain +passim complain passimd attach_disconnected,complain pidof complain pinentry complain @@ -326,6 +329,7 @@ virtnetworkd complain,attach_disconnected virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain +vlc complain wg complain wg-quick complain xdg-dbus-proxy attach_disconnected,complain From 3ab5046d5d51ac5e192873718378e9c28809a841 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 20:53:03 +0000 Subject: [PATCH 06/19] build: ignore non suse profiles on other dists. --- dists/ignore/arch.ignore | 3 +++ dists/ignore/debian.ignore | 3 +++ dists/ignore/ubuntu.ignore | 3 +++ 3 files changed, 9 insertions(+) diff --git a/dists/ignore/arch.ignore b/dists/ignore/arch.ignore index b37956f94..b65d0fb78 100644 --- a/dists/ignore/arch.ignore +++ b/dists/ignore/arch.ignore @@ -4,3 +4,6 @@ apparmor.d/groups/apt # Ubuntu specific definition apparmor.d/groups/ubuntu + +# OpenSUSE specific definition +apparmor.d/groups/suse diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 334875284..35f33a498 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -5,5 +5,8 @@ root/usr/share/libalpm # Ubuntu specific definition apparmor.d/groups/ubuntu +# OpenSUSE specific definition +apparmor.d/groups/suse + # Profiles provided by they own package chronyd diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 862035209..eec78f3d0 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -3,5 +3,8 @@ apparmor.d/groups/pacman root/etc/xdg/autostart/apparmor-notify.desktop root/usr/share/libalpm +# OpenSUSE specific definition +apparmor.d/groups/suse + # Profiles provided by they own package chronyd From 5760c0129cb5b14f6fdaa5e31513d9fabe3d6b24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 20:53:30 +0000 Subject: [PATCH 07/19] build: add ignore file for whonix. --- dists/ignore/whonix.ignore | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 dists/ignore/whonix.ignore diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore new file mode 100644 index 000000000..760a7335b --- /dev/null +++ b/dists/ignore/whonix.ignore @@ -0,0 +1,18 @@ +# Archlinux specific definition +apparmor.d/groups/pacman +root/usr/share/libalpm + +# OpenSUSE specific definition +apparmor.d/groups/suse + +# Whonix does not have them +apparmor.d/groups/akonadi +apparmor.d/groups/browsers +apparmor.d/groups/gnome +apparmor.d/groups/kde +apparmor.d/groups/pacman +apparmor.d/groups/ubuntu +apparmor.d/groups/virt + +# Profiles provided by they own package +chronyd From 3b42cc0ca736bffbc5b1d356dbbb3d3626ec2d25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Nov 2023 20:25:27 +0000 Subject: [PATCH 08/19] build: update full system policy setup. --- pkg/prebuild/prepare.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 4d54cbecc..289c873bd 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -173,11 +173,10 @@ func SetFlags() error { return nil } -// Set AppArmor for full system policy -// See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy -// https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads +// Set AppArmor for (experimental) full system policy. +// See https://apparmor.pujol.io/development/structure/#full-system-policy func SetFullSystemPolicy() error { - for _, name := range []string{"init", "systemd"} { + for _, name := range []string{"systemd", "systemd-user"} { err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name)) if err != nil { return err From 02115a194b35c756e1e13e9ec17e2b84c77dca82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Nov 2023 20:25:55 +0000 Subject: [PATCH 09/19] chore: cleanup abstraction' headers. --- apparmor.d/abstractions/chromium-common | 3 +++ apparmor.d/abstractions/flatpak-snap | 2 +- apparmor.d/abstractions/totem | 7 ++++--- apparmor.d/abstractions/user-read | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common index 985964bd9..314e0d434 100644 --- a/apparmor.d/abstractions/chromium-common +++ b/apparmor.d/abstractions/chromium-common @@ -3,6 +3,9 @@ # Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# This abstraction is for chromium based application. Chromium based browsers +# need to use abstractions/chromium instead. + abi , # The following rules are needed only when the kernel.unprivileged_userns_clone option is set diff --git a/apparmor.d/abstractions/flatpak-snap b/apparmor.d/abstractions/flatpak-snap index 0a132289e..f20a998b1 100644 --- a/apparmor.d/abstractions/flatpak-snap +++ b/apparmor.d/abstractions/flatpak-snap @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018 Nibaldo Gonzalez -# 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem index e553ecccd..b2815c19a 100644 --- a/apparmor.d/abstractions/totem +++ b/apparmor.d/abstractions/totem @@ -1,7 +1,8 @@ -# vim:syntax=apparmor -# Author: Jamie Strandboge +# apparmor.d - Full set of apparmor profiles +# Copyright (C) Jamie Strandboge +# SPDX-License-Identifier: GPL-2.0-only -# Description: Limit executable access and reasonable read access. A look at +# Limit executable access and reasonable read access. A look at # the gconf schema files for totem-video-thumbnailer reveals at least the # following files: # 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 007ae62b6..210fd5f27 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,8 +2,8 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Give read access on all defined user directories. It should only be used if -# access to ALL folders is required. +# This abstraction gives read access on all defined user directories. It should +# only be used if access to **ALL** folders is required. owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, From f0a2cb3897e1c81c4ccf5854f4b7ba3a58c688d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Nov 2023 22:02:47 +0000 Subject: [PATCH 10/19] feat(profiles): general update. --- apparmor.d/abstractions/chromium | 1 + .../groups/gnome/gnome-extension-manager | 3 ++- apparmor.d/groups/systemd/systemd-binfmt | 11 +++------ apparmor.d/profiles-a-f/auditctl | 2 +- apparmor.d/profiles-a-f/augenrules | 23 ++++++++++--------- apparmor.d/profiles-a-f/fprintd | 1 + apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/irqbalance | 4 ++++ apparmor.d/profiles-s-z/sudo | 1 + 9 files changed, 26 insertions(+), 21 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index ad304ba2b..083bb16c8 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -56,6 +56,7 @@ network netlink raw, @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so* mr, @{lib_dirs}/chrome_crashpad_handler rPx, @{lib_dirs}/chrome-sandbox rPx, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index f27cdf5be..102a8e37f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -39,7 +39,8 @@ profile gnome-extension-manager @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/cmdline r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 405fdd9a3..5d05be6cb 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/systemd/systemd-binfmt profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, - ptrace (read) peer=unconfined, - @{exec_path} mr, @{bin}/* r, @@ -23,12 +22,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{run}/binfmt.d/{,*.conf} r, /usr/lib/binfmt.d/{,*.conf} r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/fs/binfmt_misc/register w, - @{PROC}/sys/fs/binfmt_misc/status w, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/fs/binfmt_misc/register w, + @{PROC}/sys/fs/binfmt_misc/status w, /dev/tty@{int} rw, /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index be1605474..4a551c433 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/auditctl -profile auditctl @{exec_path} { +profile auditctl @{exec_path} flags=(attach_disconnected) { include capability audit_control, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 198e32c5c..4a42a78bb 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -7,22 +7,23 @@ abi , include @{exec_path} = @{bin}/augenrules -profile augenrules @{exec_path} { +profile augenrules @{exec_path} flags=(attach_disconnected) { include include @{exec_path} mr, - @{bin}/auditctl rPx, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cmp rix, - @{bin}/cp rix, - @{bin}/{,g,m}awk rix, - @{bin}/{,e,f}grep rix, - @{bin}/ls rix, - @{bin}/mktemp rix, - @{bin}/rm rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/auditctl rPx, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/ls rix, + @{bin}/mktemp rix, + @{bin}/rm rix, /etc/audit/audit.rules rw, /etc/audit/rules.d/{,*} r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index a7c999c48..1ff55cb72 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -13,6 +13,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a51ef8c9a..fcb9bc5aa 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -21,6 +21,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { capability dac_read_search, capability linux_immutable, capability mknod, + capability net_admin, capability sys_admin, capability sys_nice, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 17da1fc05..37b888313 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -16,6 +16,10 @@ profile irqbalance @{exec_path} { @{exec_path} mr, + /etc/default/irqbalance r, + + / r, + @{run}/irqbalance/irqbalance[0-9]*.sock w, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c34c8de70..dd9d7f605 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -73,6 +73,7 @@ profile sudo @{exec_path} { /var/lib/sudo/ts/ rw, /var/lib/sudo/ts/* rwk, /var/log/sudo.log wk, + owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, From 5a3dface8eaeb19a06599851fa573024aec83cc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 18:56:15 +0000 Subject: [PATCH 11/19] tests: add debian-gnome vm image. --- tests/boxes.yml | 6 ++ tests/packer/builds.pkr.hcl | 3 +- tests/packer/debian.pkr.hcl | 36 ++++++++++++ tests/packer/init/debian-gnome.user-data.yml | 56 +++++++++++++++++++ tests/packer/init/debian-server.user-data.yml | 3 +- 5 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 tests/packer/init/debian-gnome.user-data.yml diff --git a/tests/boxes.yml b/tests/boxes.yml index c1f91d6f2..ee7f32ec1 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -32,6 +32,12 @@ boxes: ram: '6144' cpu: '6' + - name: debian-gnome + box: aa-debian-gnome + uefi: true + ram: '6144' + cpu: '6' + - name: opensuse-kde box: aa-opensuse-kde uefi: true diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index a977803ee..6334b5fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -7,6 +7,7 @@ build { "source.qemu.archlinux-gnome", "source.qemu.archlinux-kde", "source.qemu.debian-server", + "source.qemu.debian-gnome", "source.qemu.opensuse-kde", "source.qemu.ubuntu-desktop", "source.qemu.ubuntu-server", @@ -31,7 +32,7 @@ build { } provisioner "file" { - only = ["qemu.debian-server", "qemu.ubuntu-server", "qemu.ubuntu-desktop"] + only = ["qemu.debian-server", "qemu.debian-gnome", "qemu.ubuntu-server", "qemu.ubuntu-desktop"] destination = "/tmp/src/" sources = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"] } diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index 9ef66236e..11e8c89f2 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -37,3 +37,39 @@ source "qemu" "debian-server" { ) } } + +source "qemu" "debian-gnome" { + disk_image = true + iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" + iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" + iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml new file mode 100644 index 000000000..154808097 --- /dev/null +++ b/tests/packer/init/debian-gnome.user-data.yml @@ -0,0 +1,56 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + - task-gnome-desktop + +runcmd: + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +write_files: + + - path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: 'root:root' + permissions: '0644' + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml index ef6bd719b..38e3cad36 100644 --- a/tests/packer/init/debian-server.user-data.yml +++ b/tests/packer/init/debian-server.user-data.yml @@ -20,7 +20,8 @@ package_upgrade: true package_reboot_if_required: false packages: - apparmor-profiles - - build-essential + - auditd + - build-essential - config-package-dev - debhelper - devscripts From 6f98bb9bfb364664c5e7168c8e10fceda33bb1c8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 19:32:04 +0000 Subject: [PATCH 12/19] feat(abs): add more possible resolv.conf path in nameservice. Used a lot by debian. --- apparmor.d/abstractions/nameservice-strict | 2 ++ apparmor.d/groups/apt/apt-methods-http | 1 - apparmor.d/groups/apt/unattended-upgrade | 1 - apparmor.d/groups/ssh/sshd | 1 - apparmor.d/profiles-a-f/agetty | 1 - apparmor.d/profiles-a-f/etckeeper | 2 -- apparmor.d/profiles-a-f/fail2ban-server | 1 - apparmor.d/profiles-g-l/hostname | 2 -- apparmor.d/profiles-m-r/nullmailer-send | 2 -- apparmor.d/profiles-s-z/sudo | 1 - 10 files changed, 2 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 36e0cf787..a03d64a2e 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -23,6 +23,8 @@ /var/lib/extrausers/passwd r, @{run}/nscd/db* r, + @{run}/resolvconf/resolv.conf r, + @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, # NSS records from systemd-userdbd.service diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0282cf3d6..814f2bb3f 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -70,7 +70,6 @@ profile apt-methods-http @{exec_path} { owner /tmp/apt-changelog-*/*.changelog rw, @{run}/ubuntu-advantage/aptnews.json rw, - @{run}/resolvconf/resolv.conf r, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 72ea7e0cb..5e8e277d1 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -114,7 +114,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/log/apt/{term,history}.log w, /var/log/apt/eipp.log.xz w, - @{run}/resolvconf/resolv.conf r, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index f82e89fb4..648ac7329 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -93,7 +93,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, - @{run}/resolvconf/resolv.conf r, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, owner @{run}/sshd{,.init}.pid wl, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 7a5545926..a901ec33e 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -33,7 +33,6 @@ profile agetty @{exec_path} { /etc/os-release r, /usr/etc/login.defs r, - @{run}/resolvconf/resolv.conf r, owner @{run}/agetty.reload rw, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index bf93ebb41..a18098a3d 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -57,8 +57,6 @@ profile etckeeper @{exec_path} { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - @{run}/resolvconf/resolv.conf r, - owner /tmp/etckeeper-git* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2695bd444..9d5138cb7 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -35,7 +35,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{run}/fail2ban/fail2ban.pid rw, @{run}/fail2ban/fail2ban.sock rw, - @{run}/resolvconf/resolv.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 8134a23af..7e6725f1c 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -20,8 +20,6 @@ profile hostname @{exec_path} { @{exec_path} mr, - @{run}/resolvconf/resolv.conf r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index 0287fb7df..4b47701d5 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -21,7 +21,5 @@ profile nullmailer-send @{exec_path} { /var/spool/nullmailer/{,**} rw, - @{run}/resolvconf/resolv.conf r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index dd9d7f605..fefe8a10a 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -81,7 +81,6 @@ profile sudo @{exec_path} { @{run}/ r, @{run}/faillock/{,*} rwk, - @{run}/resolvconf/resolv.conf r, @{run}/systemd/sessions/* r, owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, From 31edd15e8a6fd507749a1df51102eb743366fac9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 22:11:12 +0000 Subject: [PATCH 13/19] feat(profiles): improve kde integration. --- apparmor.d/groups/kde/dolphin | 1 + apparmor.d/groups/kde/kconf_update | 5 +++-- apparmor.d/groups/kde/kde-powerdevil | 7 ++++++- apparmor.d/groups/kde/kwin_wayland | 15 ++++++++------- .../groups/kde/plasma-browser-integration-host | 3 ++- 5 files changed, 20 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 83370adf4..4a788c3db 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -10,6 +10,7 @@ include profile dolphin @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index a3d39a168..d2987b2be 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -52,6 +52,8 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, + owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, owner @{user_config_dirs}/kateschemarc.lock rwk, owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kcminputrc.lock rwk, @@ -83,9 +85,8 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kxkbrc.lock rwk, owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/plasmashellrc r, - owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw, + owner @{user_config_dirs}/plasmashellrc r, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 91fc5864b..03eebce24 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -50,10 +50,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, + @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, - @{sys}/bus/ r, + @{sys}/class/i2c-dev/ r, + @{sys}/class/usbmisc/ r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, + @{sys}/devices/i2c-[0-9]*/name r, + @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, + @{sys}/devices/platform/*/i2c-[0-9]*/name r, /dev/tty rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 8253ddb33..7649b402b 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -74,28 +74,29 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_share_dirs}/kscreen/* r, owner @{user_cache_dirs}/ksycoca5_* r, - owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw, owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw, owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int}, - owner @{user_cache_dirs}/plasma-svgelements r, - owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw, owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + owner @{user_share_dirs}/kscreen/* r, owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/session/* r, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 1ac9d9ec7..9b4b797c2 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -11,11 +11,12 @@ profile plasma-browser-integration-host @{exec_path} { include include include + include include include + include include include - include capability sys_ptrace, From d3084839d160b3d090a49babcab81a47e228a40c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 22:14:54 +0000 Subject: [PATCH 14/19] feat(profiles): improve support for debian over gnome. --- apparmor.d/groups/apt/apt-methods-mirror | 2 + apparmor.d/groups/gnome/gdm-xsession | 17 ++++--- apparmor.d/profiles-a-f/exim4 | 56 +++++++----------------- apparmor.d/profiles-g-l/gsettings | 4 +- apparmor.d/profiles-g-l/im-launch | 21 ++++----- apparmor.d/profiles-m-r/mkswap | 8 ++-- 6 files changed, 48 insertions(+), 60 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 2a0d20ff0..4fa9a6b0b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include profile apt-methods-mirror @{exec_path} { include include + include # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 543ed3b22..121652353 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -24,27 +24,32 @@ profile gdm-xsession @{exec_path} { @{bin}/gettext rix, @{bin}/gettext.sh r, @{bin}/gnome-session rix, - @{bin}/gsettings rPx, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @{bin}/mktemp rix, + @{bin}/run-parts rix, @{bin}/sed rix, + @{bin}/ssh-agent rix, + @{bin}/tail rix, @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, - @{etc_ro}/X11/xdm/Xsession rPx, @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/dpkg-query rpx, @{bin}/flatpak rPUx, + @{bin}/gpgconf rPx, + @{bin}/gsettings rPx, + @{bin}/im-launch rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/xbrlapi rPx, @{bin}/xhost rPx, - @{bin}/im-launch rPx, - @{bin}/gpgconf rPx, - @{lib}/gnome-session-binary rPx, - @{bin}/dpkg-query rpx, + @{bin}/xrdb rPx, + @{etc_ro}/X11/xdm/Xsession rPx, + @{lib}/gnome-session-binary rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 764c871c8..01f7de4d2 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,9 +11,19 @@ include profile exim4 @{exec_path} { include include + include include include + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability net_admin, + capability net_bind_service, + capability setgid, + capability setuid, + network inet dgram, network inet6 dgram, network inet stream, @@ -21,59 +32,26 @@ profile exim4 @{exec_path} { @{exec_path} mrix, - # To bind to port 25/tcp - capability net_bind_service, - - # To remove the following error: - # exim4[]: exim: setgroups() failed: Operation not permitted - capability setgid, - - # To remove the following error: - # exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher - capability setuid, - - # To remove the following error: - # exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110 - capability dac_read_search, - capability dac_override, - - # To remove the following error: - # exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not - # permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391 - capability chown, - - # To remove the following error: - # Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted - capability fowner, - - # Needed? - audit deny capability net_admin, - - /var/lib/exim4/config.autogenerated{,.tmp} r, - /etc/email-addresses r, /etc/aliases r, + /var/lib/exim4/config.autogenerated{,.tmp} r, + + /var/lib/dpkg/status r, + /var/log/cron-apt/lastfullmessage r, /var/log/exim4/ w, /var/log/exim4/mainlog w, /var/log/exim4/paniclog w, /var/log/exim4/rejectlog w, - /var/spool/exim4/ r, /var/spool/exim4/** rwk, owner /var/mail/* rwkl -> /var/mail/*, + /tmp/#@{int} rw, + @{run}/exim4/ r, owner @{run}/exim4/exim.pid rw, - @{run}/resolvconf/resolv.conf r, - owner @{run}/dbus/system_bus_socket rw, - - # file_inherit - /tmp/#@{int} rw, - /var/lib/dpkg/status r, - /var/log/cron-apt/lastfullmessage r, - include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index a56839daf..cc8f83c3a 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -21,9 +21,9 @@ profile gsettings @{exec_path} { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - /dev/tty@{int} rw, - owner @{run}/user/@{uid}/bus rw, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 67359d3d9..98b4c9f72 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -12,15 +12,17 @@ profile im-launch @{exec_path} { @{exec_path} mr, - @{bin}/{,ba,da}sh rix, - @{bin}/gnome-session rix, - @{bin}/env rix, - @{bin}/locale rix, - @{bin}/gettext{,.sh} rix, - @{bin}/true rix, - @{bin}/sed rix, - @{bin}/dpkg-query rpx, - @{bin}/uim-toolbar-gtk3 rPUx, + @{bin}/{,ba,da}sh rix, + @{bin}/dpkg-query rpx, + @{bin}/env rix, + @{bin}/gettext{,.sh} rix, + @{bin}/gnome-session rix, + @{bin}/gsettings rPx, + @{bin}/locale rix, + @{bin}/sed rix, + @{bin}/true rix, + @{bin}/uim-toolbar-gtk3 rPUx, + @{lib}/gnome-session-binary rPx, /usr/share/im-config/{,**} r, @@ -30,7 +32,6 @@ profile im-launch @{exec_path} { owner @{HOME}/.xinputrc r, - # file inherit owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index da57d46d7..53d145ba7 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,11 +14,12 @@ profile mkswap @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/swaps r, - # SWAP file common locations owner /swapfile rw, + owner /swap/swapfile rw, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, include if exists } From a66debd2fb093ae6a4eafc4af09a034e7d458200 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 22:22:40 +0000 Subject: [PATCH 15/19] build(dpkg): ignore libvirt profiles. --- debian/apparmor.d.hide | 2 -- dists/ignore/debian.ignore | 2 ++ dists/ignore/ubuntu.ignore | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 2c4034566..d3da3e5a9 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -3,8 +3,6 @@ # SPDX-License-Identifier: GPL-2.0-only /etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd -/etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/usr.sbin.rsyslogd diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 35f33a498..cca5b2ee1 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -10,3 +10,5 @@ apparmor.d/groups/suse # Profiles provided by they own package chronyd +libvirt +virt-aa-helper diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index eec78f3d0..79263d7e5 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -8,3 +8,5 @@ apparmor.d/groups/suse # Profiles provided by they own package chronyd +libvirt +virt-aa-helper From e99f7de70310dff4c00ac4d309a81e07e34d47c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 22:59:10 +0000 Subject: [PATCH 16/19] fix(profiles): fix slow startup of gnome at-spi-bus-launcher starts the accessibility bus. We need to ensure all buses are initally started by the same profile, otherwise the accessibility fail to start. See #74, #80 & #235 --- apparmor.d/groups/bus/dbus-daemon | 10 +++- .../groups/freedesktop/at-spi-bus-launcher | 53 ++++++++++--------- 2 files changed, 37 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index a56aaa20a..707c9651b 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -14,6 +14,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -41,7 +42,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/[a-z0-9]* rPUx, - @{lib}/{,at-spi2{,-core}/}at-spi2-registryd rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, @{lib}/* rPUx, @@ -64,11 +65,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, + /usr/share/dconf/profile/gdm r, /usr/share/defaults/**.conf r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, # Extra rules for GDM + /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.local/share/icc/ r, /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, # Extra rules for Flatpak @{system_share_dirs}/dbus-1/{,**} r, @@ -87,6 +93,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/systemd/notify w, @{sys}/kernel/security/apparmor/.access rw, @@ -94,6 +101,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/oom_score_adj rw, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 6c79b187f..64edd2413 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,52 +10,55 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include + include include include include + include + + network inet stream, # TODO: local only + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gnome-session-binary, - signal (send) set=(term hup kill) peer=dbus-daemon, - - unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, @{exec_path} mr, - @{bin}/dbus-daemon rPx, @{bin}/dbus-broker-launch rPUx, + @{bin}/dbus-daemon rix, + @{lib}/at-spi2-registryd rPx, - /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/dbus-1/accessibility-services/ r, + /usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r, /usr/share/dconf/profile/gdm r, + /usr/share/defaults/at-spi2/accessibility.conf r, + /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{HOME}/.Xauthority r, - owner @{HOME}/.xsession-errors w, - - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, - - /var/lib/lightdm/.Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - + /var/lib/lightdm/.Xauthority r, /var/log/lightdm/seat[0-9]*-greeter.log w, + @{run}/systemd/users/@{uid} r, + + @{sys}/kernel/security/apparmor/.access rw, + @{sys}/kernel/security/apparmor/features/dbus/mask r, + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - @{PROC}/1/cgroup r, - owner /dev/tty@{int} rw, # file_inherit + owner /dev/tty@{int} rw, include if exists } From e8fcc12c986cdd779b89c390eeaf9bbf845f9529 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 23:10:00 +0000 Subject: [PATCH 17/19] feat(profiles): cleanup dbus daemon related profile. --- .../groups/freedesktop/at-spi2-registryd | 34 ++++--------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 26d61c14d..0903ca321 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -10,14 +10,18 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include + include signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup kill) peer=dbus-daemon, - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"), + dbus bind bus=accessibility name=org.a11y.atspi.Registry, + + dbus (send, receive) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry, dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -53,16 +57,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { member=Embed peer=(name=:*), # all peer's labels - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=org.freedesktop.DBus), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=:*), # all peer's labels - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} @@ -78,22 +72,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=accessibility - name=org.a11y.atspi.Registry, - @{exec_path} mr, - /var/lib/lightdm/.Xauthority r, - - owner @{HOME}/.Xauthority r, - owner @{HOME}/.xsession-errors w, - - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, - owner /dev/tty@{int} rw, include if exists From aa84d08ef6e7cf604754d8d83a341b6af6abe744 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 23:40:51 +0000 Subject: [PATCH 18/19] tests: improve tests image content. --- .../packer/init/archlinux-gnome.user-data.yml | 2 -- tests/packer/init/archlinux-kde.user-data.yml | 2 -- .../packer/init/ubuntu-desktop.user-data.yml | 29 ++++++++++++------- tests/packer/init/ubuntu-server.user-data.yml | 3 +- 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml index 4a5cdb100..a7c1afa94 100644 --- a/tests/packer/init/archlinux-gnome.user-data.yml +++ b/tests/packer/init/archlinux-gnome.user-data.yml @@ -59,8 +59,6 @@ runcmd: # Regenerate grub.cfg - [ grub-mkconfig, -o, /boot/grub/grub.cfg ] - # Enable firewall - # Enable core services - [ systemctl, enable, apparmor ] - [ systemctl, enable, auditd ] diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml index 435bf4c5c..fc276586a 100644 --- a/tests/packer/init/archlinux-kde.user-data.yml +++ b/tests/packer/init/archlinux-kde.user-data.yml @@ -61,8 +61,6 @@ runcmd: # Regenerate grub.cfg - [ grub-mkconfig, -o, /boot/grub/grub.cfg ] - # Enable firewall - # Enable core services - [ systemctl, enable, apparmor ] - [ systemctl, enable, auditd ] diff --git a/tests/packer/init/ubuntu-desktop.user-data.yml b/tests/packer/init/ubuntu-desktop.user-data.yml index d66e96809..937b84d20 100644 --- a/tests/packer/init/ubuntu-desktop.user-data.yml +++ b/tests/packer/init/ubuntu-desktop.user-data.yml @@ -43,30 +43,37 @@ snap: runcmd: - # Let NetworkManager handle network - - rm /etc/netplan/* - - >- - printf "network:\n version: 2\n renderer: NetworkManager" > /etc/netplan/01-network-manager.yaml - # Remove default filesystem and related tools not used with the suggested # storage layout. These may yet be required if different partitioning schemes # are used. - - apt-get -y remove btrfs-progs cryptsetup* lvm2 xfsprogs + - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - >- - apt-get -y remove - ubuntu-server ubuntu-server-minimal + apt-get -y purge + ubuntu-server ubuntu-server-minimal netplan.io cloud-init binutils byobu curl dmeventd finalrd gawk kpartx mdadm ncurses-term needrestart open-iscsi sg3-utils ssh-import-id sssd thin-provisioning-tools tmux sosreport screen open-vm-tools motd-news-config lxd-agent-loader landscape-common fonts-ubuntu-console ethtool - # Keep cloud-init, as it performs some of the installation on first boot. - - apt-get -y install cloud-init - # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + +write_files: + + - path: /etc/systemd/network/20-wired.network + owner: 'root:root' + permissions: '0644' + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/ubuntu-server.user-data.yml b/tests/packer/init/ubuntu-server.user-data.yml index 1e40f32d3..64fecc855 100644 --- a/tests/packer/init/ubuntu-server.user-data.yml +++ b/tests/packer/init/ubuntu-server.user-data.yml @@ -20,7 +20,8 @@ package_upgrade: true package_reboot_if_required: false packages: - apparmor-profiles - - build-essential + - auditd + - build-essential - config-package-dev - debhelper - devscripts From 58b577385e68f9aeeba5fafc8a87c30b90cc8e17 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Nov 2023 23:41:41 +0000 Subject: [PATCH 19/19] build(ci): add gitlab ci for whonix. --- .gitlab-ci.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7e800cac4..86ed8d7ed 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -108,6 +108,11 @@ ubuntu: paths: - $PKGDEST/*.deb +whonix: + extends: debian + variables: + DISTRIBUTION: whonix + opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse @@ -146,15 +151,15 @@ preprocess-debian: - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null preprocess-ubuntu: - stage: preprocess + extends: preprocess-debian image: ubuntu dependencies: - ubuntu - script: - - apt-get update -q - - apt-get install -y apparmor apparmor-profiles - - dpkg --install $PKGDEST/* - - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null + +preprocess-whonix: + extends: preprocess-debian + dependencies: + - whonix preprocess-opensuse: stage: preprocess