update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-04-24 11:52:42 +02:00 · 2022-04-24 11:52:42 +02:00 · 35a281d045
commit 35a281d045
parent 85e7f58d3c
28 changed files with 147 additions and 38 deletions
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -33,10 +33,14 @@ profile android-studio @{exec_path} {

  signal (send) set=(term, kill) peer=android-studio//lsb-release,

+  ptrace (read) peer=android-studio//*,
+
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
+  network inet raw,
+  network inet6 raw,
  network netlink raw,

  @{exec_path} r,
@ -129,6 +133,9 @@ profile android-studio @{exec_path} {
  owner "@{user_cache_dirs}/Android Open Source Project/" rw,
  owner "@{user_cache_dirs}/Android Open Source Project/**" rw,

+  owner @{user_cache_dirs}/main.kts.compiled.cache/ rw,
+  owner @{user_cache_dirs}/main.kts.compiled.cache/** rw,
+
  owner @{user_cache_dirs}/Google/ rw,
  owner @{user_cache_dirs}/Google/** rwk,
  # To remove the following error:
@ -178,11 +185,12 @@ profile android-studio @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pids}/task/ r,
  owner @{PROC}/@{pids}/task/@{tid}/status r,
-  owner @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/stat r,
        @{PROC}/sys/net/core/somaxconn r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
@ -201,6 +209,8 @@ profile android-studio @{exec_path} {

  /usr/share/hwdata/pnp.ids r,

+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@ -1,13 +1,6 @@
-# vim:syntax=apparmor
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2021 Mikhail Morfikov
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

@ -22,7 +15,8 @@ profile apt-forktracer @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/ r,
-  /{usr/,}bin/dpkg rPx -> child-dpkg,
+  /{usr/,}bin/dpkg      rPx -> child-dpkg,
+  /{usr/,}bin/apt-cache rPx,

  /usr/share/apt-forktracer/{,**} r,

@ -38,5 +32,8 @@ profile apt-forktracer @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  /etc/dpkg/origins/debian r,
+  /etc/debian_version r,
+
  include if exists <local/apt-forktracer>
 }
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -35,6 +35,7 @@ profile apt-methods-gpgv @{exec_path} {
  /{usr/,}bin/find              rix,
  /{usr/,}bin/gpgv              rix,

+  /{usr/,}bin/head      rix,
  /{usr/,}bin/cat       rix,
  /{usr/,}bin/chmod     rix,
  /{usr/,}bin/cmp       rix,
@ -79,8 +80,8 @@ profile apt-methods-gpgv @{exec_path} {
  @{PROC}/@{pid}/fd/ r,

  # Local keyring storage
-  /etc/keyrings/ r,
-  /etc/keyrings/*.{gpg,asc} r,
+  /etc/apt/keyrings/ r,
+  /etc/apt/keyrings/*.{gpg,asc} r,

  # Extrepo keyring storage
  /var/lib/extrepo/keys/*.{gpg,asc} r,
--- a/apparmor.d/groups/apt/debsums
+++ b/apparmor.d/groups/apt/debsums
@ -46,6 +46,7 @@ profile debsums @{exec_path} {
  /var/lib/{,**} r,
  /opt/{,**} r,
  /boot/{,**} r,
+  /lib*/{,**} r,

  include if exists <local/debsums>
 }
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -89,6 +89,9 @@ profile dpkg @{exec_path} {
  /usr/**  rwl -> /usr/**,
  /lib/    r,
  /lib/**  rwl -> /lib/** ,
+  # Fixme when more transitions will be available (#FIXME#)
+  /lib{,32,64,x64}/ r,
+  /lib{,32,64,x64}/** rwl,
  /bin/    r,
  /bin/*   rwl -> /bin/*,
  /sbin/   r,
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@ -52,6 +52,9 @@ profile querybts @{exec_path} {

  /etc/fstab r,

+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
  # Allowed apps to open
  /{usr/,}lib/firefox/firefox rPUx,

--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -93,6 +93,8 @@ profile reportbug @{exec_path} {

  @{sys}/module/apparmor/parameters/enabled r,

+  /dev/ptmx rw,
+
  owner     /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
  owner     /tmp/* rw,
  owner /var/tmp/*.bug{,~} rw,
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -61,7 +61,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/inhibit/[0-9]*.ref rw,
        @{run}/systemd/sessions/[0-9]*.ref rw,
        @{run}/systemd/users/@{uid} r,
-  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,

--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -70,7 +70,7 @@ profile gpg @{exec_path} {

  # APT upstream/user keyrings
  /usr/share/keyrings/*.{gpg,asc} r,
-  /etc/keyrings/*.{gpg,asc} r,
+  /etc/apt/keyrings/*.{gpg,asc} r,

  # APT repositories
  /var/lib/apt/lists/*_InRelease r,