felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-08-21 23:32:10 +01:00
parent 6756ca8138
commit 360230b2a5
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
34 changed files with 156 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt
View file

@ -127,7 +127,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/var/crash/{,*.@{uid}.crash} rw,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/{,**} rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/periodic/update-success-stamp rw,
/var/lib/dpkg/** r,

2
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -25,6 +25,8 @@ profile evolution-source-registry @{exec_path} {
interface=org.freedesktop.DBus.Introspectable
peer=(name=:*, label=gnome-shell),
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9],
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

5
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -31,14 +31,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
signal (send) set=hup peer=at-spi*,
signal (send) set=hup peer=dbus-daemon,
signal (send) set=hup peer=dbus-run-session,
signal (send) set=hup peer=dconf-service,
signal (send) set=hup peer=gjs-console,
signal (send) set=hup peer=gnome-*,
signal (send) set=hup peer=gsd-*,
signal (send) set=hup peer=ibus-*,
signal (send) set=hup peer=tracker-miner,
signal (send) set=hup peer=xdg-permission-store,
signal (send) set=hup peer=xorg,
signal (send) set=hup peer=xwayland,
signal (send) set=hup peer=xdg-permission-store,
signal (send) set=hup peer=tracker-miner,
signal (send) set=term peer=gdm-*-session,
network netlink raw,

2
apparmor.d/groups/gnome/gnome-extension-manager
View file

@ -39,6 +39,8 @@ profile gnome-extension-manager @{exec_path} {
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
# Silencer
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

1
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -143,6 +143,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{bin}/gsettings-data-convert rix,
@{bin}/mkdir rix,
@{bin}/session-migration rix,
@{bin}/touch rix,
@{bin}/xdg-user-dirs-gtk-update rix,
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix,
@{lib}/at-spi-bus-launcher rPx,

3
apparmor.d/groups/gnome/tracker-extract
View file

@ -11,14 +11,15 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/X-strict>
include <abstractions/freedesktop.org>
network netlink raw,

3
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -42,6 +42,9 @@ profile gvfsd-metadata @{exec_path} {
/var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw,
owner @{HOME}/.local/ w,
owner @{user_share_dirs}/ w,
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw,

9
apparmor.d/groups/kde/drkonqi
View file

@ -17,10 +17,19 @@ profile drkonqi @{exec_path} {
network inet6 stream,
network netlink raw,
signal send set=(cont, stop) peer=/usr/bin/akonadiserver,
ptrace read peer=/usr/bin/akonadiserver,
@{exec_path} mr,
/usr/share/drkonqi/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/*.notifyrc r,
owner @{user_cache_dirs}/kcrash-metadata/* w,
owner /tmp/xauth_@{rand6} r,
@{run}/user/@{uid}/xauth_@{rand6} rl,

15
apparmor.d/groups/kde/kactivitymanagerd
View file

@ -16,18 +16,29 @@ profile kactivitymanagerd @{exec_path} {
@{exec_path} mr,
/etc/xdg/menus/{,*/} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kservices5/{,**} r,
/etc/xdg/kdeglobals r,
/etc/machine-id r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_config_dirs}/kactivitymanagerdrc r,
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
owner @{user_share_dirs}/kservices5/{,**} r,
owner @{user_share_dirs}/RecentDocuments/ r,
owner @{user_share_dirs}/RecentDocuments/*.desktop w,
@{PROC}/sys/kernel/core_pattern r,

3
apparmor.d/groups/kde/kcminit
View file

@ -45,6 +45,9 @@ profile kcminit @{exec_path} {
owner /tmp/kcminit.@{rand6} rwl,
owner /tmp/#@{int} rw,
owner /tmp/.touchpaddefaults wl,
owner /tmp/.touchpaddefaults.lock rwk,
@{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/random/boot_id r,

1
apparmor.d/groups/kde/kded5
View file

@ -104,6 +104,7 @@ profile kded5 @{exec_path} {
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
owner @{user_share_dirs}/kded5/{,**} rw,
owner @{user_share_dirs}/kscreen/{,**} rwl,
owner @{user_share_dirs}/kservices5/{,**} r,
owner @{user_share_dirs}/ktp/cache.db rwk,
owner @{user_share_dirs}/remoteview/ r,
owner @{user_share_dirs}/services5/{,**} r,

4
apparmor.d/groups/kde/kioslave5
View file

@ -46,12 +46,15 @@ profile kioslave5 @{exec_path} {
/etc/xdg/kwinrc r,
/etc/xdg/menus/{,**} r,
owner @{MOUNTDIRS}/** r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/thumbnails/*/ r,
owner @{user_cache_dirs}/kio_http/* rwl,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
@ -61,6 +64,7 @@ profile kioslave5 @{exec_path} {
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/baloo/index rw,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,

5
apparmor.d/groups/kde/plasmashell
View file

@ -29,10 +29,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
include <abstractions/vulkan>
include <abstractions/X-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace read peer=pinentry-qt,
signal (send),
dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
@ -145,6 +149,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
owner @{user_share_dirs}/user-places.xbel r,
@{run}/mount/utab r,
@{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kdesud_:1 w,

2
apparmor.d/groups/kde/xdm-xsession
View file

@ -87,6 +87,8 @@ profile xdm-xsession @{exec_path} {
owner /tmp/ssh-*/ rw,
owner /tmp/ssh-*/agent.* rw,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/network/openvpn
View file

@ -118,7 +118,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
/etc/iproute2/group r,
/etc/iproute2/rt_tables.d/ r,
/etc/iproute2/rt_tables rw,
/etc/iproute2/sed* rw,
/etc/iproute2/sed@{rand6} rw,
owner @{PROC}/sys/net/ipv{4,}/route/flush w,

2
apparmor.d/groups/pacman/arch-audit
View file

@ -35,5 +35,7 @@ profile arch-audit @{exec_path} {
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
/dev/pts/@{int} rw,
include if exists <local/arch-audit>
}

1
apparmor.d/groups/pacman/pacdiff
View file

@ -42,6 +42,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
/var/{,**} r,
/dev/tty rw,
/dev/pts/@{int} rw,
# Inherit Silencer
deny /apparmor/.null rw,

3
apparmor.d/groups/systemd/systemd-udevd
View file

@ -7,8 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/udevadm
@{exec_path} += @{lib}/systemd/systemd-udevd
@{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd
profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/consoles>

5
apparmor.d/groups/ubuntu/livepatch-notification
View file

@ -15,6 +15,11 @@ profile livepatch-notification @{exec_path} {
include <abstractions/gtk>
include <abstractions/wayland>
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

2
apparmor.d/groups/virt/dockerd
View file

@ -32,11 +32,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/,
mount options=(rw, bind) -> /run/docker/netns/*,
mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
mount options=(rw, rslave) -> /,
umount /.pivot_root[0-9]*/,
umount /run/docker/netns/*,
umount /var/lib/docker/overlay*/**/,

11
apparmor.d/groups/virt/virtnetworkd
View file

@ -15,16 +15,25 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
network netlink raw,
ptrace (read) peer=virtqemud,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{bin}/dnsmasq rPx,
@{run}/utmp rk,
/etc/libvirt/libvirt.conf r,
owner /var/lib/libvirt/dnsmasq/*.macs* rw,
@{run}/libvirt/network/default.pid r,
@{run}/systemd/inhibit/*.ref rw,
@{run}/utmp rk,
owner @{run}/libvirt/common/system.token rwk,
owner @{run}/libvirt/network/{,**} rwk,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
owner @{run}/user/@{uid}/libvirt/network/{,**} rwk,
owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk,
owner @{run}/virtnetworkd.pid w,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

17
apparmor.d/groups/virt/virtnodedevd
View file

@ -15,22 +15,33 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability net_admin,
capability sys_admin,
network netlink raw,
ptrace (read) peer=virtqemud,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{bin}/mdevctl rPx,
/usr/share/hwdata/*.ids r,
/usr/share/pci.ids r,
/etc/libvirt/libvirt.conf r,
/etc/libvirt/virtnodedevd.conf r,
/etc/mdevctl.d/{,**} r,
@{run}/systemd/inhibit/*.ref rw,
owner @{run}/libvirt/common/system.token rwk,
owner @{run}/libvirt/nodedev/ rw,
owner @{run}/libvirt/nodedev/driver.pid wk,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
owner @{run}/virtnodedevd.pid wk,
@{run}/utmp rk,
@ -49,9 +60,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c1:[0-9]* r, # For RAM disk
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c21:[0-9]* r, # Generic SCSI access
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
@{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c202:[0-9]* r, # CPU model-specific registers
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:[0-9]* r,
@ -62,6 +75,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/n[0-9]* r,
@{sys}/**/ r,
@{sys}/devices/@{pci}/vpd r,
@{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
@{sys}/devices/**/{config,device,vendor} r,
@{sys}/devices/**/uevent r,
@ -71,13 +85,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
@{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
@{sys}/devices/virtual/net/{,**} r,
@{sys}/kernel/iommu_groups/ r,
@{sys}/kernel/iommu_groups/@{int}/devices/ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/mtrr w,
include if exists <local/virtnodedevd>
}

21
apparmor.d/groups/virt/virtstoraged
View file

@ -14,15 +14,32 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability dac_read_search,
network netlink raw,
ptrace (read) peer=virtqemud,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
/etc/libvirt/libvirt.conf r,
# For disk images
@{MOUNTS}/ r,
@{user_img_dirs}/{,**} r,
# System VM images
/var/lib/libvirt/images/{,**} rw,
# User VM images
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/libvirt/{,**} rw,
owner @{user_vm_dirs}/{,**} rw,
owner @{user_config_dirs}/libvirt/storage/{,**} rw,
owner @{user_share_dirs}/gnome-boxes/images/{,*} rw,
@ -34,6 +51,10 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk,
owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk,
owner @{run}/libvirt/common/system.token rwk,
owner @{run}/libvirt/storage/{,**} rwk,
owner @{run}/virtstoraged.pid rwk,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/utmp rwk,