update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2021-12-08 12:59:46 +01:00 · 2021-12-08 12:59:46 +01:00 · 3430e3df90
commit 3430e3df90
parent 44aca3ba51
56 changed files with 146 additions and 45 deletions
--- a/apparmor.d/profiles-m-r/mediainfo
+++ b/apparmor.d/profiles-m-r/mediainfo
@ -34,6 +34,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo
 profile mediainfo @{exec_path} {
  include <abstractions/base>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@ -39,6 +39,7 @@ profile mediainfo-gui @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/mkvmerge
+++ b/apparmor.d/profiles-m-r/mkvmerge
@ -41,6 +41,7 @@ include <tunables/global>
 profile mkvmerge @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>

  signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@ -53,6 +53,7 @@ profile mkvtoolnix-gui @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>

  signal (send) set=(term, kill) peer=mkvmerge,
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@ -9,7 +9,7 @@ include <tunables/global>
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
 # asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
-# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
+# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, flv
@{mpv_ext}  = [aA]{52,[aA][cC],[cC]3}
@{mpv_ext} += [mM][kK][aA]
@{mpv_ext} += [fF][lL][aA][cC]
@ -30,6 +30,7 @@ include <tunables/global>
@{mpv_ext} += [wW][eE][bB][mM]
@{mpv_ext} += [wW][mMtT][vV]
@{mpv_ext} += [mM][pP]2[tT]
+@{mpv_ext} += [fF][lL][vV]

 # Image extensions
 # bmp, jpg, jpeg, png, gif
@ -66,6 +67,7 @@ profile mpv @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/deny-root-dir-access>
--- a/apparmor.d/profiles-m-r/ntfsclone
+++ b/apparmor.d/profiles-m-r/ntfsclone
@ -10,6 +10,8 @@ include <tunables/global>
 profile ntfsclone @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
+  include <abstractions/private-files-strict>
+  include <abstractions/user-download-strict>

  capability sys_admin,

@ -18,7 +20,7 @@ profile ntfsclone @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,

  # A place for backups
-  @{HOME}/** rwk,
+  @{HOME}/* rwk,
  @{MOUNTS}/*/** rwk,

  include if exists <local/ntfsclone>
--- a/apparmor.d/profiles-m-r/openbox
+++ b/apparmor.d/profiles-m-r/openbox
@ -77,7 +77,8 @@ profile openbox @{exec_path} {
    /etc/xdg/autostart/{,*} r,

    # Silencer
-    /{usr/,}lib/python3/** w,
+    deny /{usr/,}lib/python3/** w,
+    deny owner @{HOME}/.local/lib/python*/site-packages/ r,

    # file_inherit
    owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/profiles-m-r/popularity-contest
+++ b/apparmor.d/profiles-m-r/popularity-contest
@ -55,6 +55,7 @@ profile popularity-contest @{exec_path} {

  # file_inherit
  /tmp/#[0-9]*[0-9] rw,
+  /var/log/popularity-contest.[0-9]* w,

  include if exists <local/popularity-contest>
 }
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -18,6 +18,7 @@ profile qbittorrent @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
  include <abstractions/wayland>
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@ -51,6 +51,7 @@ profile qnapi @{exec_path} {
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>

  # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@ -22,6 +22,7 @@ profile qpdfview @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/dri-enumerate>
  include <abstractions/qt5-settings-write>
--- a/apparmor.d/profiles-m-r/redshift
+++ b/apparmor.d/profiles-m-r/redshift
@ -36,5 +36,8 @@ profile redshift @{exec_path} {
  owner @{HOME}/.Xauthority r,
  owner /tmp/xauth-[0-9]*-_[0-9] r,

+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
  include if exists <local/redshift>
 }
--- a/apparmor.d/profiles-m-r/reprepro
+++ b/apparmor.d/profiles-m-r/reprepro
@ -48,12 +48,14 @@ profile reprepro @{exec_path} {

  # Dirs containing .deb files
  owner @{REPO_DIR}/*.deb r,
+  /var/cache/apt/archives/*.deb r,

  # For package building
  owner @{user_build_dirs}/pbuilder/result/*.{dsc,changes} r,
  owner @{user_build_dirs}/pbuilder/result/*.deb r,
  owner @{user_build_dirs}/pbuilder/result/*.tar.* r,

+
  profile gpg {
    include <abstractions/base>