From 33f99711a2449270d8c427f6093c2de051170001 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Aug 2021 12:59:24 +0100 Subject: [PATCH] Update profiles. --- .../groups/browsers/firefox-crashreporter | 3 +- apparmor.d/groups/desktop/at-spi2-registryd | 2 +- apparmor.d/groups/desktop/dconf-service | 1 + apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gjs-console | 2 +- apparmor.d/groups/gnome/gnome-control-center | 3 ++ apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 4 +- apparmor.d/groups/gnome/gsd-xsettings | 3 +- apparmor.d/groups/gnome/tracker-extract | 10 ++-- apparmor.d/groups/systemd/systemd-detect-virt | 2 +- apparmor.d/groups/systemd/systemd-journald | 5 +- apparmor.d/groups/systemd/systemd-timesyncd | 1 + apparmor.d/profiles-a-l/auditd | 12 +++-- apparmor.d/profiles-a-l/fwupd | 53 ++++++++++++++----- apparmor.d/profiles-a-l/fwupdmgr | 17 +++++- apparmor.d/profiles-a-l/gitstatusd | 2 + apparmor.d/profiles-a-l/gtk-update-icon-cache | 3 +- apparmor.d/profiles-a-l/htop | 4 ++ apparmor.d/profiles-m-z/pulseaudio | 1 + apparmor.d/profiles-m-z/top | 2 + 21 files changed, 103 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8f44a74d3..e6e76de2e 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -11,7 +11,7 @@ include @{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla @{exec_path} = @{MOZ_LIBDIR}/crashreporter -profile firefox-crashreporter @{exec_path} { +profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include include include @@ -65,6 +65,7 @@ profile firefox-crashreporter @{exec_path} { owner @{MOZ_HOMEDIR}/firefox/*.*/.parentlock rw, owner @{HOME}/.xsession-errors w, /dev/dri/renderD128 rw, + /dev/dri/card[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd index 2e67512cf..2be81ce08 100644 --- a/apparmor.d/groups/desktop/at-spi2-registryd +++ b/apparmor.d/groups/desktop/at-spi2-registryd @@ -16,7 +16,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { # Needed? deny capability sys_nice, - signal (receive) set=term peer=gdm, + signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, diff --git a/apparmor.d/groups/desktop/dconf-service b/apparmor.d/groups/desktop/dconf-service index 8cc9e791c..2711cb696 100644 --- a/apparmor.d/groups/desktop/dconf-service +++ b/apparmor.d/groups/desktop/dconf-service @@ -27,6 +27,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/ rw, owner @{user_cache_dirs}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm/.config/dconf/user.* rw, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e377402e0..0c021622d 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -25,7 +25,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, signal (receive) set=term peer=gdm, - signal (send) set=hup peer=at-spi-bus-launcher, + signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 5d854a89b..8458843b7 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -19,7 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=term peer=gdm, + signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, /{usr/,}bin/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4c4f43c25..456782686 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -52,6 +52,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/mesa_shader_cache/index rw, @@ -69,6 +70,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/ r, @@ -77,6 +79,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c235:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 9a57847bd..cf4ba3623 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -70,7 +70,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/ibus/* r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r, - owner @{user_config_dirs}/monitors.xml rw, + owner @{user_config_dirs}/monitors.xml{,~} rwl, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r, owner @{user_share_dirs}/backgrounds/{,**} rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index c3192dfd9..78453ed84 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -23,12 +23,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/recently-used.xbel{,.*} rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d076c57b9..1eefa24f1 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -23,7 +23,8 @@ profile gsd-xsettings @{exec_path} { network netlink raw, @{exec_path} mr, - /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/pactl rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index daa754f15..008a086df 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -16,11 +16,12 @@ profile tracker-extract @{exec_path} { @{exec_path} mr, - /usr/share/tracker3/{,**} r, - /usr/share/tracker3-miners/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/applications/*.desktop r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, + /usr/share/osinfo/{,**} r, + /usr/share/tracker3-miners/{,**} r, + /usr/share/tracker3/{,**} r, owner /tmp/tracker-extract-3-files.*/{,*} rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, @@ -37,7 +38,10 @@ profile tracker-extract @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/udev/data/c235:* r, @{run}/udev/data/c236:* r, + /dev/video[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index df757bc69..5eda20ec8 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/systemd-detect-virt -profile systemd-detect-virt @{exec_path} { +profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 99fe9123f..0bb21e61c 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -51,9 +51,10 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+scsi:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+platform:regulatory.[0-9]* r, - @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, @{run}/udev/data/+platform:iTCO_wdt r, + @{run}/udev/data/+platform:regulatory.[0-9]* r, + @{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r, + @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index be5f1835c..05fbe1aee 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -20,6 +20,7 @@ profile systemd-timesyncd @{exec_path} { @{exec_path} mr, + /etc/adjtime r, /etc/systemd/timesyncd.conf r, owner /var/lib/systemd/timesync/clock rw, diff --git a/apparmor.d/profiles-a-l/auditd b/apparmor.d/profiles-a-l/auditd index 3fb7e2d61..066d32c72 100644 --- a/apparmor.d/profiles-a-l/auditd +++ b/apparmor.d/profiles-a-l/auditd @@ -12,17 +12,23 @@ profile auditd @{exec_path} { include capability audit_control, - capability fsetid, capability chown, + capability fsetid, + capability sys_resource, network netlink raw, @{exec_path} mr, - /var/log/audit/audit.log rw, - /var/log/audit/audit.log.[0-9] rw, + /etc/audit/{,**} r, + + /var/log/audit/{,**} rw, @{run}/systemd/userdb/ r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/oom_score_adj r, + include if exists } diff --git a/apparmor.d/profiles-a-l/fwupd b/apparmor.d/profiles-a-l/fwupd index 304967b1a..cee4ad8d9 100644 --- a/apparmor.d/profiles-a-l/fwupd +++ b/apparmor.d/profiles-a-l/fwupd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,26 +10,38 @@ include @{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include + include include + include - # This is needed in order to read/write from/to the /dev/tpm0 , device which is owned by tss:tss capability dac_override, - + capability dac_read_search, + capability linux_immutable, + capability mknod, + capability sys_admin, + capability sys_nice, capability sys_rawio, capability syslog, + network netlink raw, + @{exec_path} mr, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /usr/share/fwupd/** r, - owner /var/cache/fwupd/** rw, - owner /var/lib/fwupd/** r, - owner /var/lib/fwupd/pending.db rwk, - + /etc/pki/fwupd/** r, /etc/fwupd/** r, + /usr/share/fwupd/** r, + + /var/cache/fwupd/** rw, + /var/lib/fwupd/{,**} rw, + /var/lib/fwupd/pending.db rwk, + + /boot/{,**} r, + /boot/EFI/arch/fwupdx[0-9]*.efi rw, + /boot/EFI/arch/fw/fwupd-*.cap{,.*} rw, # In order to get to this file, the attach_disconnected flag has to be set owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, @@ -36,37 +49,51 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /usr/share/mime/mime.cache r, @{PROC}/modules r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + @{PROC}/sys/kernel/tainted r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/fd/ r, /dev/mem r, + /dev/mei[0-9]* rw, /dev/tpm[0-9] rw, /dev/drm_dp_aux[0-9]* rw, /dev/sd[a-z] r, /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, + /dev/wmi/* r, @{sys}/**/ r, @{sys}/devices/** r, - @{sys}/firmware/dmi/tables/smbios_entry_point r, + @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, - @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, + @{sys}/firmware/dmi/tables/smbios_entry_point r, + @{sys}/firmware/efi/** r, + @{sys}/firmware/efi/efivars/BootNext-* rw, + @{sys}/firmware/efi/efivars/fwupd-ux-capsule-* rw, @{sys}/kernel/security/lockdown r, + @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, + @{sys}/power/mem_sleep r, /{var,}run/udev/data/* r, + /{var,}run/motd.d/fwupd/{,**} rw, - /{var,}run/motd.d/fwupd/85-fwupd w, - /{var,}run/motd.d/fwupd/.goutputstream-* rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, /etc/machine-id r, /var/lib/dbus/machine-id r, - - profile gpg { + profile gpg flags=(complain) { include + include /{usr/,}bin/gpg mr, /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent mr, owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, diff --git a/apparmor.d/profiles-a-l/fwupdmgr b/apparmor.d/profiles-a-l/fwupdmgr index e08cb40a9..22ea50ce4 100644 --- a/apparmor.d/profiles-a-l/fwupdmgr +++ b/apparmor.d/profiles-a-l/fwupdmgr @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,11 +12,20 @@ profile fwupdmgr @{exec_path} flags=(complain) { include include include - include + include + + signal (send), + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, @{exec_path} mr, /{usr/,}bin/dbus-launch rCx -> dbus, + /{usr/,}bin/pkttyagent rux, # TODO: Work in progress owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, @@ -31,6 +41,11 @@ profile fwupdmgr @{exec_path} flags=(complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /dev/tty rw, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, profile dbus { include diff --git a/apparmor.d/profiles-a-l/gitstatusd b/apparmor.d/profiles-a-l/gitstatusd index abe5b7c0a..beb5c4395 100644 --- a/apparmor.d/profiles-a-l/gitstatusd +++ b/apparmor.d/profiles-a-l/gitstatusd @@ -19,6 +19,8 @@ profile gitstatusd @{exec_path} { owner @{user_config_dirs}/git/{,*} r, # Silencer + deny capability dac_read_search, + deny capability dac_override, deny owner @{HOME}/.*-store/{,**} r, include if exists diff --git a/apparmor.d/profiles-a-l/gtk-update-icon-cache b/apparmor.d/profiles-a-l/gtk-update-icon-cache index d577c2d21..15631fe93 100644 --- a/apparmor.d/profiles-a-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-a-l/gtk-update-icon-cache @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/gtk-update-icon-cache +@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache profile gtk-update-icon-cache @{exec_path} { include include diff --git a/apparmor.d/profiles-a-l/htop b/apparmor.d/profiles-a-l/htop index 50f9412f0..a40de57c6 100644 --- a/apparmor.d/profiles-a-l/htop +++ b/apparmor.d/profiles-a-l/htop @@ -32,6 +32,8 @@ profile htop @{exec_path} { @{exec_path} mr, + /usr/share/terminfo/x/xterm-256color r, + @{PROC}/ r, @{PROC}/loadavg r, @{PROC}/uptime r, @@ -43,6 +45,7 @@ profile htop @{exec_path} { @{PROC}/pressure/memory r, @{PROC}/diskstats r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, @@ -55,6 +58,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/@{pids}/task/@{tid}/statm r, diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio index 12b317988..f63cb6596 100644 --- a/apparmor.d/profiles-m-z/pulseaudio +++ b/apparmor.d/profiles-m-z/pulseaudio @@ -43,6 +43,7 @@ profile pulseaudio @{exec_path} { # Needed when PulseAudio is started via gdm owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, owner @{HOME}/.ICEauthority r, # TCP wrap diff --git a/apparmor.d/profiles-m-z/top b/apparmor.d/profiles-m-z/top index 5086c292f..d31f30dda 100644 --- a/apparmor.d/profiles-m-z/top +++ b/apparmor.d/profiles-m-z/top @@ -30,6 +30,8 @@ profile top @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/terminfo/x/xterm-256color r, + @{PROC}/ r, @{PROC}/loadavg r, @{PROC}/uptime r,