diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8a57149d5..ddc95834a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,17 +8,16 @@ jobs: strategy: matrix: os: - # - ubuntu-24.04 + - ubuntu-24.04 - ubuntu-22.04 mode: - default - full-system-policy steps: - - name: Check out repository code uses: actions/checkout@v4 - - name: Install Build dependencies + - name: Install Build dependencies run: | sudo apt-get update -q sudo apt-get install -y \ @@ -39,12 +38,15 @@ jobs: run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true - name: Reload AppArmor - run: | + run: | sudo systemctl restart apparmor.service || true sudo systemctl status apparmor.service - name: Ensure compatibility with some AppArmor userspace tools - run: sudo aa-enforce /etc/apparmor.d/aa-notify + run: | + if [[ ${{ matrix.os }} != ubuntu-24.04 ]]; then + sudo aa-enforce /etc/apparmor.d/aa-notify + fi - name: Show AppArmor log and rules run: | diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ffc9dded0..960dd2884 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,7 +4,7 @@ include: - template: Security/SAST.gitlab-ci.yml variables: - PKGDEST: $CI_PROJECT_DIR/packages + PKGDEST: $CI_PROJECT_DIR/.pkg PACKAGER: 'Alexandre Pujol ' stages: @@ -23,14 +23,14 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD dists/build.sh dists/docker.sh + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run --skip-dirs pkg/paths + - golangci-lint run --exclude-dirs pkg/paths packer: stage: lint @@ -63,6 +63,11 @@ tests: - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out - go tool cover -func=coverage.out +check: + stage: test + image: registry.gitlab.com/roddhjav/builders/archlinux + script: + - make check # Package Build # ------------- @@ -190,7 +195,7 @@ pages: GIT_DEPTH: 0 script: - pip install -r requirements.txt - - mkdocs build --strict --site-dir public + - mkdocs build --site-dir public artifacts: paths: - public diff --git a/Makefile b/Makefile index 85a4a7190..3aea44a78 100644 --- a/Makefile +++ b/Makefile @@ -4,12 +4,12 @@ # SPDX-License-Identifier: GPL-2.0-only DESTDIR ?= / -BUILD := .build -PKGDEST := /tmp/pkg +BUILD ?= .build +PKGDEST ?= ${PWD}/.pkg PKGNAME := apparmor.d P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) -.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean +.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean all: build @./${BUILD}/prebuild --complain @@ -24,13 +24,13 @@ enforce: build full: build @./${BUILD}/prebuild --complain --full -ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n") +SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n") PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n") DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n") install: @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in ${ROOT}; do \ - install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \ + @for file in ${SHARE}; do \ + install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ done; @for file in ${PROFILES}; do \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ @@ -56,7 +56,7 @@ local: ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") $(P): - @[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @for file in ${ABSTRACTIONS}; do \ install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ done; @@ -71,6 +71,12 @@ $(P): done; @systemctl restart apparmor || systemctl status apparmor +name ?= +dev: + @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) + @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} + @sudo systemctl restart apparmor || systemctl status apparmor + dist ?= archlinux package: @bash dists/docker.sh ${dist} @@ -95,12 +101,23 @@ lint: @golangci-lint run @make --directory=tests lint @shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm +check: + @bash tests/check.sh + +manual: + @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md + +docs: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + +serve: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ - ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \ - ${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD} + .pkg/${PKGNAME}* ${BUILD} coverage.out diff --git a/README.md b/README.md index ae9899b70..7aed183da 100644 --- a/README.md +++ b/README.md @@ -27,15 +27,15 @@ - Target both desktops and servers - Support all distributions that support AppArmor: - * Arch Linux - * Ubuntu 22.04 - * Debian 12 - * OpenSUSE Tumbleweed + * [Arch Linux](https://apparmor.pujol.io/install#archlinux) + * [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu) + * [Debian 12](https://apparmor.pujol.io/install#debian) + * [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse) - Support for all major desktop environments: - * Gnome - * KDE - * XFCE *(work in progress)* -- Fully tested (Work in progress) + * Gnome (GDM) + * KDE (SDDM) + * XFCE (Lightdm) *(work in progress)* +- Fully tested *(work in progress)* > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 0998bbb44..4c506da69 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -2,6 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), @@ -24,6 +27,7 @@ owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index c31d328fb..5d2f74363 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,8 +3,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* PUx, - /usr/local/{s,}bin/* PUx, + abi , + + @{bin}/** PUx, + /usr/local/{s,}bin/** PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 5e7c50824..800de5106 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,10 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* PUx, + abi , + + @{bin}/** PUx, /opt/*/** PUx, - /usr/share/*/* PUx, - /usr/local/bin/* PUx, + /usr/share/** PUx, + /usr/local/bin/** PUx, @{brave_path} Px, @{chrome_path} Px, @@ -21,6 +23,9 @@ /usr/ r, /usr/local/bin/ r, + @{user_bin_dirs}/ r, + @{user_bin_dirs}/** PUx, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c4efc350..d257797eb 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -8,51 +8,57 @@ # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. + abi , + # Sandbox managers - @{bin}/bwrap rPUx, - @{bin}/firejail rPUx, - @{bin}/flatpak rPUx, - @{bin}/snap rPUx, + @{bin}/bwrap PUx, + @{bin}/firejail PUx, + @{bin}/flatpak Px, + @{bin}/snap Px, # Labeled programs - @{archive_viewers_path} rPUx, - @{browsers_path} rPx, - @{document_viewers_path} rPUx, - @{emails_path} rPUx, - @{file_explorers_path} rPx, - @{help_path} rPx, - @{image_viewers_path} rPUx, - @{offices_path} rPUx, - @{text_editors_path} rPUx, + @{archive_viewers_path} PUx, + @{browsers_path} Px, + @{document_viewers_path} PUx, + @{emails_path} PUx, + @{file_explorers_path} Px, + @{help_path} Px, + @{image_viewers_path} PUx, + @{offices_path} PUx, + @{text_editors_path} PUx, # Others - @{bin}/blueman-tray rPx, - @{bin}/discord{,-ptb} rPx, - @{bin}/draw.io rPUx, - @{bin}/dropbox rPx, - @{bin}/element-desktop rPx, - @{bin}/extension-manager rPx, - @{bin}/filezilla rPx, - @{bin}/flameshot rPx, - @{bin}/gimp* rPUx, - @{bin}/gnome-calculator rPUx, - @{bin}/gnome-disk-image-mounter rPx, - @{bin}/gnome-disks rPx, - @{bin}/gwenview rPUx, - @{bin}/kgx rPx, - @{bin}/qbittorrent rPx, - @{bin}/qpdfview rPx, - @{bin}/smplayer rPx, - @{bin}/steam-runtime rPUx, - @{bin}/telegram-desktop rPx, - @{bin}/transmission-gtk rPx, - @{bin}/viewnior rPUx, - @{bin}/vlc rPUx, - @{bin}/xbrlapi rPx, + @{bin}/amule Px, + @{bin}/blueman-tray Px, + @{bin}/discord{,-ptb} Px, + @{bin}/draw.io PUx, + @{bin}/dropbox Px, + @{bin}/element-desktop Px, + @{bin}/extension-manager Px, + @{bin}/filezilla Px, + @{bin}/flameshot Px, + @{bin}/gimp* PUx, + @{bin}/gnome-calculator PUx, + @{bin}/gnome-disk-image-mounter Px, + @{bin}/gnome-disks Px, + @{bin}/gnome-software Px, + @{bin}/gwenview PUx, + @{bin}/kgx Px, + @{bin}/qbittorrent Px, + @{bin}/qpdfview Px, + @{bin}/smplayer Px, + @{bin}/steam-runtime PUx, + @{bin}/telegram-desktop Px, + @{bin}/transmission-gtk Px, + @{bin}/viewnior PUx, + @{bin}/vlc PUx, + @{bin}/xbrlapi Px, #aa:only opensuse - @{lib}/YaST2/** rPUx, + @{lib}/YaST2/** PUx, + # Backup + @{lib}/deja-dup/deja-dup-monitor PUx, include if exists diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus new file mode 100644 index 000000000..8c7e6e98b --- /dev/null +++ b/apparmor.d/abstractions/app/bus @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for dbus-send/dbus-launch. + + abi , + + include + include + + @{bin}/dbus-launch mix, + @{bin}/dbus-send mrix, + + @{bin}/dbus-daemon Px -> dbus-session, + + owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e80a7e0f4..0bae4e0d2 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -16,6 +17,8 @@ # or abstractions/common/electron instead. # + abi , + include include include @@ -26,6 +29,8 @@ include include include + include + include include include include @@ -41,7 +46,7 @@ include include - # userns, + userns, capability setgid, capability setuid, @@ -127,7 +132,6 @@ owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -135,6 +139,10 @@ owner @{cache_dirs}/{,**} rw, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, # owner @{HOME}/.mozilla/firefox/*/ r, @@ -177,14 +185,15 @@ @{PROC}/ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, @@ -192,12 +201,11 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/uid_map w, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, /dev/ r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f0972f3e7..9816e7907 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -1,16 +1,23 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include + include + @{sh_path} rix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{sh_path} rix, @{bin}/which{,.debianutils} rix, - /usr/share/vim/{,**} r, + /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, + /usr/share/vim/{,**} r, /etc/vimrc r, /etc/vim/{,**} r, @@ -19,11 +26,11 @@ owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, - # Vim swap file owner @{HOME}/ r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} r, + owner @{user_state_dirs}/nvim/{,**} rw, include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 9de4359e1..2a2f612b7 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -12,11 +13,14 @@ # @{cache_dirs} = @{user_cache_dirs}/mozilla/ # + abi , + include include include include include + include include include include @@ -27,10 +31,9 @@ include include include - include - include + include - # userns, + userns, capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -46,6 +49,8 @@ signal (send) set=(term, kill) peer=@{profile_name}-*, + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, @@ -54,11 +59,9 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, @{lib_dirs}/crashreporter rPx, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, # Desktop integration @{bin}/lsb_release rPx -> lsb_release, @@ -69,11 +72,12 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, + /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, + /etc/lsb-release r, /etc/mailcap r, /etc/mime.types r, - /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -96,7 +100,7 @@ owner @{tmp}/firefox/* rwk, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmp-*.xpi rw, owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, @@ -104,8 +108,6 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, - @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -123,7 +125,7 @@ @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, @@ -155,7 +157,6 @@ # Silencer deny dbus send bus=system path=/org/freedesktop/hostname1, deny /tmp/MozillaUpdateLock-* w, - deny owner @{HOME}/ r, deny owner @{HOME}/.* r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index ae6b1cd78..25a0c0c38 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -1,10 +1,19 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include - @{bin}/kmod mr, + @{bin}/depmod mr, + @{bin}/insmod mr, + @{bin}/kmod mr, + @{bin}/lsmod mr, + @{bin}/modinfo mr, + @{bin}/modprobe mr, + @{bin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index f21a2a7de..256eb5a6d 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -1,9 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Full set of rules for child-open-* profiles. + abi , + include @{open_path} mrix, diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 4bab75387..211c2710d 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -1,8 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no -# Minimal set of rules for pgrep. +# Minimal set of rules for pgrep/pkill. + + abi , include diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec new file mode 100644 index 000000000..65d34ec6a --- /dev/null +++ b/apparmor.d/abstractions/app/pkexec @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pkexec. + + abi , + + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_resource, + + network netlink raw, # PAM + + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd + + @{bin}/pkexec mr, + + /etc/shells r, + + owner @{PROC}/@{pid}/loginuid r, + + owner /dev/tty@{int} rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index fdd348587..b83c2d166 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -1,14 +1,18 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Minimal set of rules for sudo. Interactive sudo need more rules. + abi , + include include include include include + include capability audit_write, capability dac_override, @@ -48,6 +52,10 @@ owner @{HOME}/.sudo_as_admin_successful rw, + # yubikey support + owner @{HOME}/.yubico/challenge-* rw, + @{HOME}/.yubico/ r, + @{run}/faillock/ rw, @{run}/faillock/@{user} rwk, owner @{run}/sudo/ rw, @@ -57,8 +65,6 @@ @{PROC}/@{pid}/limits r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/cap_last_cap r, - @{PROC}/sys/kernel/ngroups_max r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 62b4aafdf..38126c968 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include include diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index 72fb4c61b..e8414d026 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base new file mode 100644 index 000000000..33c422bb0 --- /dev/null +++ b/apparmor.d/abstractions/attached/base @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, it is automatically included in profiles when it is required. + + abi , + + deny @{att}/apparmor/.null rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles new file mode 100644 index 000000000..bf76e4a43 --- /dev/null +++ b/apparmor.d/abstractions/attached/consoles @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + @{att}/dev/tty@{int} rw, + owner @{att}/dev/pts/@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index ca4a8e16c..d847c732c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,7 +5,9 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. - /usr/share/alsa/** r, + abi , + + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, @@ -17,7 +19,7 @@ /etc/libao.conf r, /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, - /etc/pipewire/client.conf.d/{,**} r, + /etc/pipewire/client{,-rt}.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, @@ -45,6 +47,7 @@ owner @{user_config_dirs}/pipewire/client.conf r, owner @{user_share_dirs}/openal/hrtf/{,**} r, + owner @{user_share_dirs}/sounds/ r, owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 619ba1111..97850305b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -5,12 +5,10 @@ # Provide access to audio devices. It should only be used by audio servers that # need direct access to them. + abi , + include - /usr/share/alsa/{,**} r, - - /etc/alsa/conf.d/{,**} r, - @{run}/udev/data/+sound:card@{int} r, # for sound card @{sys}/class/ r, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 738166dba..ef54e6e78 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -4,7 +4,7 @@ @{bin}/pam-tmpdir-helper rPx, - #aa:exclude ubuntu opensuse + #aa:only abi3 @{bin}/unix_chkpwd rPx, #aa:only whonix diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index e9761b843..3e10a94f5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -11,6 +11,7 @@ signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, signal (receive) set=(cont,term) peer=@{p_systemd_user}, signal (receive) set=(cont,term) peer=@{p_systemd}, + signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, signal (receive) set=(term,kill) peer=gnome-system-monitor, @@ -19,11 +20,15 @@ ptrace (readby) peer=systemd-coredump, - /usr/share/locale/ r, - @{etc_rw}/localtime r, /etc/locale.conf r, + # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. + # They are not closed and get inherited by child programs. Denying it can cause + # crash, so we are allowing it globally while the issue is beeing fixed in mesa. + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, + @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index eb4f65230..9ea35f8c2 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/bash-completion/{,**} r, /usr/share/terminfo/{,**} r, @@ -24,6 +26,7 @@ owner @{HOME}/.alias r, owner @{HOME}/.bash_aliases r, + owner @{HOME}/.bash_complete r, owner @{HOME}/.bash_history rw, owner @{HOME}/.bash_profile r, owner @{HOME}/.bashrc r, diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index f032f842b..ee0a16b99 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index d5ca957e8..811787bad 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + unix (bind, listen) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0148d0711..0bfe96818 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 3eceb53ab..9363bb757 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -4,6 +4,8 @@ # Access required for connecting to/communicating with the Unity Launcher + abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update @@ -12,12 +14,12 @@ dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 290a86de8..c5f74a6de 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index a8e3d52a5..4b7d6c89d 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -2,50 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties member={GetAll,Set} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1.Interface member=CreateInterface - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface.P2PDevice member=Cancel - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index b4032e033..4da873247 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=power-profiles-daemon), + peer=(name="@{busname}", label=power-profiles-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 55e4f414d..7f68d2d06 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=switcheroo-control), + peer=(name="@{busname}", label=switcheroo-control), include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 7e7b21565..41735f1be 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=:*, label=fprintd), + peer=(name="@{busname}", label=fprintd), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 5103361c9..357c06473 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -2,12 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + # Accessibility bus dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), + peer=(name="@{busname}", label=at-spi2-registryd), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry @@ -22,7 +24,7 @@ dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name=:*, label=at-spi2-registryd), + peer=(name="@{busname}", label=at-spi2-registryd), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 7c86817f5..7b709ab9b 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} @@ -30,7 +32,7 @@ dbus send bus=system path=/org/bluez/hci@{int} interface=org.freedesktop.DBus.Properties member=Set - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 10a9e8fc0..f2048c80e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -2,30 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label=accounts-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 8b24700db..ccf5b30a9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping @@ -20,7 +22,7 @@ dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name="@{busname}", label=avahi-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3950b77aa..205557ad5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,25 +2,27 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name=:*, label=colord), + peer=(name="@{busname}", label=colord), dbus send bus=system path=/org/freedesktop/ColorManager{,/**} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=colord), + peer=(name="@{busname}", label=colord), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name=:*, label=colord), + peer=(name="@{busname}", label=colord), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name=:*, label=colord), + peer=(name="@{busname}", label=colord), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index b4e985b9e..101e493ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=nautilus), + peer=(name="@{busname}", label=nautilus), dbus receive bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=nautilus), + peer=(name="@{busname}", label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 836e99d94..ddbf4d1de 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties @@ -15,22 +17,22 @@ dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label=geoclue), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 217b588a4..5c514d54c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -10,12 +12,12 @@ dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=ModemManager), + peer=(name="@{busname}", label=ModemManager), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=ModemManager), + peer=(name="@{busname}", label=ModemManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0fa92d3cc..af2b6d2b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -2,75 +2,67 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager + dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=Updated - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index 90ee1aefc..eee09ffad 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member={GetCapabilities,GetServerInformation,Notify} - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member={GetAll,NotificationClosed,CloseNotification} - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 7cdd9a3ce..b65bc1ef5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=packagekitd), + peer=(name="@{busname}", label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 3201e48ce..ab9e373ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name=:*, label=polkitd), + peer=(name="@{busname}", label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name="@{busname}", label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority @@ -20,7 +22,7 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=:*, label=polkitd), + peer=(name="@{busname}", label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization @@ -29,7 +31,7 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=polkitd), + peer=(name="@{busname}", label=polkitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 474c4c625..ff2906932 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -10,12 +12,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=rtkit-daemon), + peer=(name="@{busname}", label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member=MakeThread* - peer=(name=:*, label=rtkit-daemon), + peer=(name="@{busname}", label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 842057a1d..43ed93af6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 567740a35..48fa7e394 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 79b882e51..30abb2199 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -2,55 +2,57 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/** interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d8341d33c..369448079 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -24,22 +26,22 @@ dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower/devices/* + dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 5f951381b..f6019eedb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/background/monitor interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/background/monitor interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 54196d16b..8957c4cdd 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed), + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 6b965a2f5..c4e4a5fbf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=xdg-permission-store), + peer=(name="@{busname}", label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup - peer=(name=:*, label=xdg-permission-store), + peer=(name="@{busname}", label=xdg-permission-store), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index a2865c7c9..50218ced3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=systemd-localed), + peer=(name="@{busname}", label=systemd-localed), dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index fdceceea4..77271fe23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -2,30 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 24d5c1452..4affc3d22 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -2,40 +2,42 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=:*, label=systemd-logind), + peer=(name="@{busname}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=systemd-logind), + peer=(name="@{busname}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/seat/* interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name="@{busname}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 268a21dea..56460a52b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index a2a1a94a0..1561491cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -2,30 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll,Read} - peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 3057282c9..7714a871b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 01ecf0786..0b169a04e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-keyring-daemon), + peer=(name="@{busname}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name=:*, label=gnome-keyring-daemon), + peer=(name="@{busname}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection @@ -20,12 +22,12 @@ dbus receive bus=session path=/org/freedesktop/secrets/collection/login interface=org.freedesktop.Secret.Collection member=ItemCreated - peer=(name=:*, label=gnome-keyring-daemon), + peer=(name="@{busname}", label=gnome-keyring-daemon), dbus receive bus=session path=/org/freedesktop/secrets/collection/login interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gnome-keyring-daemon), + peer=(name="@{busname}", label=gnome-keyring-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 49e4b014d..115aefd78 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index c0e852662..97db8023f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -10,12 +12,12 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit - peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 883c5c165..443d35eed 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get @@ -16,7 +18,7 @@ dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=systemd-timedated), + peer=(name="@{busname}", label=systemd-timedated), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 9953ee8bf..120330ac1 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=file-roller), + peer=(name="@{busname}", label=file-roller), dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name=:*, label=file-roller), + peer=(name="@{busname}", label=file-roller), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 05945a253..107868836 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay - peer=(name=:*, label=gdm), + peer=(name="@{busname}", label=gdm), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index d701792a6..605e90311 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -2,30 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState - peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 7ada64f05..68769f2c9 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member=WatchFired - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index e547ab2c5..185937e70 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=nautilus), + peer=(name="@{busname}", label=nautilus), dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=nautilus), + peer=(name="@{busname}", label=nautilus), dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=nautilus), + peer=(name="@{busname}", label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index 3e228ad1f..ba13aa7d2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member=GetActive - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} - peer=(name=:*, label=gjs-console), + peer=(name="@{busname}", label=gjs-console), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 4197fb4cf..c683eddac 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -4,10 +4,12 @@ # FIXME: Too large, restrict it. + abi , + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager @@ -17,42 +19,42 @@ dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name=:*, label=gnome-session-binary), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index 72e4525bc..efe53af62 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties @@ -15,17 +17,17 @@ dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member=GetRunningApplications - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member={RunningApplicationsChanged,WindowsChanged} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index 73d958513..9060c8c15 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 35cd640d6..e813f5c4f 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -2,10 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index 33d3c1c36..80daa4927 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gvfsd-metadata), + peer=(name="@{busname}", label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name=:*, label=gvfsd-metadata), + peer=(name="@{busname}", label=gvfsd-metadata), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 4d59f0afc..1c80ca6ea 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,20 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=Mounted - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 4fca40e84..43947d52a 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 67ac1fb6d..5217a50f5 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd index c0d2ecba2..1ae5a1ace 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index dc598cfa1..4cb47c9d2 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -9,6 +9,8 @@ # applications (bwrap) that have no way to restrict access depending on the # application being confined. + abi , + include include include @@ -20,7 +22,7 @@ include include include - include + include include include include @@ -54,25 +56,32 @@ @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rwl, + owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl, - owner @{user_share_dirs}/** rwkl, - owner @{user_games_dirs}/{,**} rm, + owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{user_games_dirs}/** rm, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 77c5a0b7e..5dd8b26bc 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index a73626bb1..3a2b0c591 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -7,7 +7,9 @@ # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' - # userns, + abi , + + userns, capability net_admin, capability setpcap, @@ -42,15 +44,16 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, + owner @{att}/@{PROC}/@{pid}/cgroup r, + owner @{att}/@{PROC}/@{pid}/gid_map rw, + owner @{att}/@{PROC}/@{pid}/mountinfo r, + owner @{att}/@{PROC}/@{pid}/setgroups rw, + owner @{att}/@{PROC}/@{pid}/uid_map rw, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, - @{PROC}/sys/user/max_user_namespaces rw, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/setgroups rw, - owner @{PROC}/@{pid}/uid_map rw, include if exists diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 2e98c515a..9fba7b8bb 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -6,7 +6,9 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/chromium instead. - # userns, + abi , + + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 @@ -26,10 +28,10 @@ /var/tmp/ r, owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, - owner @{tmp}/scoped_dir*/ rw, - owner @{tmp}/scoped_dir*/SingletonCookie w, - owner @{tmp}/scoped_dir*/SingletonSocket w, - owner @{tmp}/scoped_dir*/SS w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 732129c26..171815256 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -12,13 +12,15 @@ # @{cache_dirs} = @{user_cache_dirs}/@{name} # + abi , + include include include include include - # userns, + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 @@ -26,6 +28,7 @@ capability sys_chroot, capability sys_ptrace, + @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/electron rix, @@ -50,7 +53,8 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + owner @{user_config_dirs}/electron-flags.conf r, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, @@ -61,6 +65,7 @@ owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, + /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, @@ -86,6 +91,8 @@ owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game new file mode 100644 index 000000000..3b4a982f1 --- /dev/null +++ b/apparmor.d/abstractions/common/game @@ -0,0 +1,119 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Core set of resources for any games on Linux. Runtimes such as sandboxing, +# wine, proton, game launchers should use this abstraction. + +# This abstraction uses the following tunables: +# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") +# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) + + abi , + + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/** rwlk, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/AsyncGPUReadbackPlugin_*.log w, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/tmp@{rand6}.tmp rw, + owner @{tmp}/tmp@{rand6}@{h}.tmp rw, + owner @{tmp}/tmp@{rand8}.tmp rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, + /dev/tty rw, + /dev/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index c93f9bc05..ccb5de8b3 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,25 +4,35 @@ # Minimal set of rules for all gnome based UI application. + abi , + + include include + include include include include - @{open_path} rPx -> child-open-help, - /usr/share/@{profile_name}/{,**} r, + / r, + owner @{user_cache_dirs}/@{profile_name}/ rw, - owner @{user_cache_dirs}/@{profile_name}/** rwlk, + owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, owner @{user_config_dirs}/@{profile_name}/ rw, - owner @{user_config_dirs}/@{profile_name}/** rwlk, + owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**, owner @{user_share_dirs}/@{profile_name}/ rw, - owner @{user_share_dirs}/@{profile_name}/** rwlk, + owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index c6a7aff75..b3c66e035 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -2,45 +2,15 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include - include - include - include - include + abi , - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, - - @{bin}/env r, + include @{lib_dirs}/ r, - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, - owner @{user_games_dirs}/ r, - owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{app_dirs}/ r, owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" @@ -56,19 +26,6 @@ owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -76,53 +33,6 @@ owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/tty rw, - /dev/uinput rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 34e9be9d7..df138bf6c 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index f25e1c3e6..b83a585e2 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,6 +5,8 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. + abi , + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Change @@ -20,6 +22,7 @@ /etc/dconf/** r, owner @{user_config_dirs}/dconf/user r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete new file mode 100644 index 000000000..108f6b8c7 --- /dev/null +++ b/apparmor.d/abstractions/dconf.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index d8e1fdfb8..4291762a4 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,42 +11,58 @@ # The only legitimate use in this project is for file browser and search engine. - deny @{HOME}/.*.bak mrwkl, - deny @{HOME}/.*.swp mrwkl, - deny @{HOME}/.*~ mrwkl, - deny @{HOME}/.*~1~ mrwkl, + abi , + + # User defined private directories + deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{user_private_dirs}/{,**} mrxwlk, + + # Files with secret paswords and tokens deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl, - deny @{HOME}/.*history mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl, - deny @{HOME}/.fetchmail* mrwkl, - deny @{HOME}/.lesshst* mrwkl, - deny @{HOME}/.mozilla/{,**} mrwkl, - deny @{HOME}/.mutt* mrwkl, - deny @{HOME}/.thunderbird/{,**} mrwkl, - deny @{HOME}/.viminfo* mrwkl, - deny @{HOME}/.wget-hsts mrwkl, + deny @{HOME}/.aws/{,**} mrwkl, + deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, + deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_config_dirs}/chromium/{,**} mrwkl, deny @{user_password_store_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, - # User defined private directories - deny @{user_private_dirs}/{,**} mrxwlk, - deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, - deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + # Privacy violations + deny @{HOME}/.*.bak mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.evolution/{,**} mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.gnome2_private/{,**} mrwkl, + deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, + deny @{HOME}/.lesshst* mrwkl, + deny @{HOME}/.mozilla/{,**} mrwkl, + deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.thunderbird/{,**} mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.wget-hsts mrwkl, + deny @{user_config_dirs}/chromium/{,**} mrwkl, + deny @{user_config_dirs}/evolution/{,**} mrwkl, # Deny executable mapping in writable space as allowed in abstractions/fonts - deny @{HOME}/.{,cache/}fontconfig/ rw, - deny @{HOME}/.{,cache/}fontconfig/** mrwl, + deny @{HOME}/.{,cache/}fontconfig/ rw, + deny @{HOME}/.{,cache/}fontconfig/** mrwl, + + # special attention to (potentially) executable files + deny @{HOME}/bin wl, + deny @{HOME}/bin/{,**} wl, include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index befea8bcb..19ffe647e 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -7,12 +7,15 @@ # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. + abi , + include include include include include include + include # if @{DE} == gnome @@ -22,13 +25,17 @@ peer=(name=:*, label=gnome-shell), /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, + /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + /var/cache/gio-@{version}/gnome-mimeapps.list r, + + / r, # deny? + + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, # else if @{DE} == kde @@ -36,14 +43,27 @@ @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, + /usr/share/knotifications{5,6}/*.notifyrc r, + + /etc/xdg/baloofilerc r, + /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, + + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce @@ -54,14 +74,10 @@ # end + /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 5a2a8b742..1a85a0100 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /dev/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 10beb258d..bf46eea1a 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, @@ -88,7 +90,7 @@ @{run}/udev/data/b230:@{int} r, # for /dev/zvol* @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 361b60d82..844a4fbeb 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, @@ -88,7 +90,7 @@ @{run}/udev/data/b230:@{int} r, # for /dev/zvol* @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index a1eb1cd41..af634ff91 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -6,6 +6,8 @@ # Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. + abi , + @{lib}/dri/** mr, @{lib}/@{multiarch}/dri/** mr, @{lib}/fglrx/dri/** mr, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index fe3cab891..2ae6ab93d 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/fish/{,**} r, /etc/fish/{,**} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 216075648..306787378 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -9,6 +9,8 @@ # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use # the "fontconfig-cache-write" abstraction. + abi , + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 19fa7c53a..922a15a6a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index ed4f067a5..4724c694a 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -13,6 +13,8 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/ r, + /opt/*/**.{desktop,png} r, + /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/glfw new file mode 100644 index 000000000..5dbda197d --- /dev/null +++ b/apparmor.d/abstractions/glfw @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index e9a06e8aa..27d648247 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,17 +2,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include include include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/{local/,}share/ r, @@ -24,10 +29,9 @@ /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, + / r, + + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 9b7954f0d..37f6be70e 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,12 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include include - /etc/igfx_user_feature{,_next}.txt w, + /etc/igfx_user_feature{,_next,_report}.txt w, /etc/libva.conf r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index fe2d2001c..1f2b0ffd2 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 60bac614e..c7827b599 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, @@ -12,6 +14,8 @@ @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/gstreamer-1.0/gst-plugin-scanner rix, + /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, + /etc/openni2/OpenNI.ini r, /tmp/ r, @@ -45,7 +49,12 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r, + @{sys}/devices/@{pci}/busnum r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/@{pci}/descriptors r, + @{sys}/devices/@{pci}/devnum r, + @{sys}/devices/@{pci}/speed r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index c164bd434..282ae1974 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,29 +2,35 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include include include + include @{lib}/kde{,3,4}/*.so mr, @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, - /usr/share/hwdata/pnp.ids r, + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/desktop-base/kf{5,6}-settings/kdeglobals r, + /usr/share/knotifications{5,6}/*.notifyrc r, + /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, @@ -32,6 +38,7 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/trashrc r, include if exists diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 976b6cc47..8ac3ad7f3 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -4,6 +4,12 @@ # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, @@ -13,4 +19,11 @@ owner @{user_cache_dirs}/mesa_shader_cache/marker rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/ w, + owner @{user_cache_dirs}/mesa_shader_cache_db/index rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/marker rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index b1d474717..5f49a63d9 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,6 +6,10 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. + abi , + + include + @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, @@ -31,23 +35,6 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, - # NSS records from systemd-userdbd.service - # - # Allow User/Group lookups via common VarLink socket APIs. Applications need - # to either consult all of them or the io.systemd.Multiplexer frontend. - # - # https://systemd.io/USER_GROUP_API/ - # https://systemd.io/USER_RECORD/ - # https://www.freedesktop.org/software/systemd/man/nss-systemd.html - # - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users - @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs - @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined - @{run}/systemd/userdb/io.systemd.Multiplexer rw, - @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS - @{PROC}/sys/kernel/random/boot_id r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6521c9840..6069ddd9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, /usr/share/nvidia/nvidia-application-profiles-* r, diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e6eea6744..9f8d13eb5 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,11 +4,12 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, + @{python_path} r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + owner @{user_lib_dirs}/@{python_name}/ r, + owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, + owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 4ac0f7f1d..d40aa3766 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,13 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl, include if exists diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index b269f2335..35d3a580a 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + include include include diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index dc164c6ba..adb80dd4d 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,6 +3,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 01de0407e..5a31de221 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw, diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 1f4202818..a2b024d3e 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -9,6 +9,8 @@ # There is no 'owner' rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. + abi , + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.* rwl, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 03ae9e3e8..88d75ec15 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -3,6 +3,8 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/uim/* r, /var/lib/uim/* r, diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data new file mode 100644 index 000000000..6406b3e84 --- /dev/null +++ b/apparmor.d/abstractions/user-data @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Gives access to non-hidden files in user's $HOME. +# Warning: experiemental, only for abi 4+, requires a prompting client. + + abi , + + # Allow accessing the GNOME crypto services prompt APIs as used by + # applications using libgcr (such as pinentry-gnome3) for secure pin + # entry to unlock GPG keys etc. See: + # https://developer.gnome.org/gcr/unstable/GcrPrompt.html + # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html + # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name="{@{busname}", label=pinentry-*), + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name="{@{busname}", label=pinentry-*), + + # Allow read access to toplevel $HOME & mounts for the user. + prompt owner @{HOME}/ r, + prompt owner @{MOUNTS}/ r, + + # Allow read/write access to all files in @{HOME}, except snap application + # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. + prompt owner @{HOME}/[^s.]** rwlk, + prompt owner @{HOME}/s[^n]** rwlk, + prompt owner @{HOME}/sn[^a]** rwlk, + prompt owner @{HOME}/sna[^p]** rwlk, + prompt owner @{HOME}/snap[^/]** rwlk, + prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, + + # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) + # for non-hidden files owned by the user. + prompt owner @{MOUNTS}/[^.]** rwlk, + + # Disallow writes to the well-known directory included in + # the user's PATH on several distributions + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/bin wl, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 3feed5cd8..ab0e05f0a 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 4187ab9e2..bd350186b 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -4,6 +4,8 @@ # Warning: This abstraction gives unrestricted read access on all non hidden user directories. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 5211b0345..f7eb186b5 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -5,6 +5,8 @@ # This abstraction gives read access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 223fc660a..026825b27 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -5,6 +5,8 @@ # This abstraction gives write only access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index fd86f1e81..edb258288 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/egl/egl_external_platform.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/libdrm/*.ids r, @@ -14,6 +16,8 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache owner @{user_share_dirs}/vulkan/ rw, @@ -29,5 +33,4 @@ include if exists - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 245b9238d..f0c712634 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -9,7 +9,10 @@ owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, owner @{run}/user/@{uid}/wayland-proxy-@{int} rw, - owner /dev/shm/sway* rw, + owner /dev/shm/@{uuid} rw, owner /dev/shm/dunst-@{rand6} rw, + owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/sway* rw, + owner /dev/shm/wlroots-@{rand6} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 067de9148..0d510a3fe 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 15711713c..a22895c91 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -6,6 +6,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /usr/share/zsh/{,**} r, diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index e9ad60683..0a4b9efdf 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -4,7 +4,7 @@ # Default profile for bwrap. -abi , +abi , include diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app index bfe12e560..b6d45478a 100644 --- a/apparmor.d/groups/_full/bwrap-app +++ b/apparmor.d/groups/_full/bwrap-app @@ -4,14 +4,13 @@ # Default profile for user sandboxed application -abi , +abi , include profile bwrap-app flags=(attach_disconnected,mediate_deleted) { include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 733d227cb..acdfc0bff 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -4,7 +4,7 @@ # Default profile for unconfined programs -abi , +abi , include @@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink dgram, network netlink raw, - signal (receive) set=(hup), + signal receive set=hup, @{bin}/bwrap rPx -> bwrap, @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, @@ -45,9 +45,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{coreutils_path} rix, @{shells_path} rix, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, # @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo index 36cebc626..609191970 100644 --- a/apparmor.d/groups/_full/default-sudo +++ b/apparmor.d/groups/_full/default-sudo @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index aa1f1729d..9e1737a2a 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,7 +11,18 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -abi , +# TODO: rework this to get a controlled environment: (cf security model) +# - No global allow anymore: in high security environments, we must manage the list +# of program/service that can be started by systemd and ensure that they are all +# listed and confined. Programs not listed will not be able to start. +# - Outside common systemd service, the list may have to be automatically +# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` +# - Stop disabling nnp flags in systemd dropin files. +# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) +# need they own profile, profile name configured as a dropin unit file. +# - When this is done: the fallback profile as root will not be needed. + +abi , include @@ -107,7 +118,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { umount @{run}/systemd/unit-root/{,**}, pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, change_profile, @@ -129,39 +140,43 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { member=GetConnectionUnixUser peer=(name=org.freedesktop.DBus, label=dbus-system), - @{bin}/systemctl rix, - @{bin}/mount rix, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /usr/share/*/** Px, - @{lib}/systemd/systemd-executor rix, - @{lib}/systemd/systemd rpx -> systemd-user, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, - @{bin}/ldconfig rPx -> systemd-service, - @{bin}/mandb rPx -> systemd-service, - @{bin}/savelog rPx -> systemd-service, - @{coreutils_path} rPx -> systemd-service, - @{sh_path} rPx -> systemd-service, + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /usr/share/*/** Px, + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + # Unit services + @{bin}/mount ix, + + # Shell based systemd unit services + @{bin}/ldconfig Px -> systemd-service, + @{bin}/mandb Px -> systemd-service, + @{bin}/savelog Px -> systemd-service, + @{coreutils_path} Px -> systemd-service, + @{sh_path} Px -> systemd-service, + + # Systemd profiles that need be stacked #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, + @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd, + @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd, + @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved, + @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd, @{lib}/ r, / r, - /boot/ r, + /*/ r, /boot/efi/ r, - /efi/ r, - /snap/ r, /snap/*/@{int}/ r, - /tmp/ r, - /usr/ r, /var/cache/*/ r, /var/lib/*/ r, /var/tmp/ r, @@ -258,6 +273,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, + profile systemctl { + include + include + + include if exists + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index 3a72cfe7e..e6c4a4b7b 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -8,7 +8,7 @@ # It does not specify an attachment path because it is intended to be used only # via "Px -> systemd-service" exec transitions from the systemd profile. -abi , +abi , include diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index f88604124..32228f21b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,7 +11,9 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -abi , +# TODO: rework this to get a controlled environment. cf comments in systemd profile. + +abi , include @@ -25,40 +27,47 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal (send) set=(term, cont, kill), - signal (receive) set=(hup) peer=@{p_systemd}, + signal send set=(term, cont, kill), + signal receive set=hup peer=@{p_systemd}, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, + unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 @{exec_path} mr, - @{bin}/dbus-broker rpx -> dbus-session, - @{bin}/dbus-broker-launch rpx -> dbus-session, - @{bin}/dbus-daemon rpx -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper rpx -> dbus-session, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, - @{bin}/systemctl rCx -> systemctl, - @{lib}/systemd/systemd-executor rix, - @{sh_path} rix, # Should be handled by default profile? - @{bin}/grep rix, - @{bin}/sleep rix, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + # Shell based ystemd unit services + @{coreutils_path} Px -> systemd-user-service, + @{sh_path} Px -> systemd-user-service, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + # Audio profiles need to be stacked #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire rPx -> systemd-user//&pipewire, - @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd-user//&pulseaudio, - @{bin}/wireplumber rPx -> systemd-user//&wireplumber, + @{bin}/pipewire Px -> systemd-user//&pipewire, + @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, + @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, + @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, + @{bin}/wireplumber Px -> systemd-user//&wireplumber, /usr/ r, /usr/share/defaults/**.conf r, diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service new file mode 100644 index 000000000..d65846f82 --- /dev/null +++ b/apparmor.d/groups/_full/systemd-user-service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. + +abi , + +include + +profile systemd-user-service flags=(complain) { + include + include + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index 086c29a40..f0145d670 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,8 +15,6 @@ profile akonadi_akonotes_resource @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index aea424deb..ed72aa21b 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile akonadi_archivemail_agent @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_archivemail_agentrc r, owner @{user_config_dirs}/akonadi/ rw, diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index 14b354b7e..d3bf2074c 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,7 @@ profile akonadi_birthdays_resource @{exec_path} { /usr/share/akonadi/plugins/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - + owner @{user_config_dirs}/akonadi_birthdays_resourcerc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index c90d09a4a..c3e5dc716 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,6 @@ profile akonadi_contacts_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index f52c3e14f..945cc82b9 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile akonadi_control @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/akonadi/{,**} rwl, owner @{user_config_dirs}/akonadi/ rw, @@ -30,7 +29,7 @@ profile akonadi_control @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_share_dirs}/akonadi/{,**} rwl, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index 9af94de78..e85bdcba3 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile akonadi_followupreminder_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_followupreminder_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index d8d87dcfb..465eebd33 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,6 @@ profile akonadi_ical_resource @{exec_path} { @{exec_path} mr, owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, owner @{user_config_dirs}/akonadi/ rw, diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index e2e60c67f..32a332793 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile akonadi_indexing_agent @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_indexing_agentrc rw, owner @{user_config_dirs}/akonadi_indexing_agentrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index a534c7aad..fc518e4f7 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile akonadi_maildir_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_mail_dirs}/{,**} rw, owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index e81a1c3e9..c353ea819 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,12 +24,9 @@ profile akonadi_maildispatcher_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, - /usr/share/knotifications{5,6}/akonadi_maildispatcher_agent.notifyrc r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_maildispatcher_agent.notifyrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 03fb464a4..37612c9ca 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile akonadi_mailfilter_agent @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, owner @{user_config_dirs}/akonadi_*_resource_*rc r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index f10a8ea13..2083318e7 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,8 +20,6 @@ profile akonadi_mailmerge_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index 7200357f0..b3541299a 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,8 +15,6 @@ profile akonadi_migration_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi-migrationrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index cb98b328a..28ce1123c 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,9 @@ profile akonadi_newmailnotifier_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi/ rw, diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index 791f90d06..8e8665e40 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,8 +20,6 @@ profile akonadi_notes_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_*_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index 6062b4857..2053bf298 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,8 +20,6 @@ profile akonadi_sendlater_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_sendlater_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index 94c63a06b..4e0e5820a 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,8 +15,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/icon-cache.kcache rw, - + owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565 owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox deleted file mode 100644 index 5dc20400e..000000000 --- a/apparmor.d/groups/apps/freetube-chrome-sandbox +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {F,f}reetube{,-vue} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} - -@{exec_path} = @{lib_dirs}/chrome-sandbox -profile freetube-chrome-sandbox @{exec_path} { - include - include - - capability sys_admin, - capability setgid, - capability setuid, - capability sys_chroot, - - @{exec_path} mr, - - # Has to be lower "P" - @{lib_dirs}/@{name} rpx, - - @{PROC}/@{pids}/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop deleted file mode 100644 index 6c8525f48..000000000 --- a/apparmor.d/groups/apps/signal-desktop +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = signal-desktop{,-beta} -@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" -@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{bin}/getconf rix, - @{bin}/xdg-settings rPx, - - @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - @{run}/systemd/inhibit/*.ref rw, - - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index dcc6303c8..19f187cc3 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -99,11 +99,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language-options rPx, # For editing the sources.list file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, # For changelogs - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, #aa:only whonix @{lib}/uwt/uwtwrapper rix, @@ -142,6 +141,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt.conf.* rw, owner @{tmp}/apt.data.* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, @@ -149,8 +150,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, - profile editor flags=(complain) { include include @@ -168,8 +167,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/less rix, - @{bin}/sensible-pager mr, + @{pager_path} rmix, @{bin}/which{,.debianutils} rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 0c11fbfb2..1251fe449 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a2268648b..a99b964c7 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,26 +18,25 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/mount rCx -> mount, @{bin}/umount rCx -> umount, /etc/fstab r, - # Are all of these needed? (#FIXME#) - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - # @{run}/udev/data/* r, + /etc/apt/sources.list{,.new} rw, + /etc/apt/sources.list~ w, + + /var/lib/apt/lists/** rw, + + /var/lib/apt/cdroms.list{,.new} rw, + /var/lib/apt/cdroms.list~ w, # For cd-roms - /media/cdrom[0-9]/ r, - /media/cdrom[0-9]/**/ r, - /media/cdrom[0-9]/.disk/info r, - /media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r, - /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, + /media/cdrom@{int}/ r, + /media/cdrom@{int}/**/ r, + /media/cdrom@{int}/.disk/info r, + /media/cdrom@{int}/dists/**/binary-*/Packages{,.gz} r, + /media/cdrom@{int}/dists/**/i18n/Translation-en{,.gz} r, # For pendrives @{MOUNTS}/ r, @@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, - /var/lib/apt/lists/** rw, + # Are all of these needed? (#FIXME#) + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/fd/ r, - /var/lib/apt/cdroms.list{,.new} rw, - /var/lib/apt/cdroms.list~ w, - - /etc/apt/sources.list{,.new} rw, - /etc/apt/sources.list~ w, - profile mount flags=(complain) { include @@ -63,7 +61,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { /etc/fstab r, - /media/cdrom[0-9]/ r, + /media/cdrom@{int}/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 48a540043..505a4b037 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index f958d2575..2e41b10bf 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc6e523b4..7ee51cfed 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index ea687173f..2fbb5d95b 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index 4b8e45799..f7e9b4651 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index d6d4b5d7b..f02c01819 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2d0f6a664..f73df39d1 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -102,7 +102,7 @@ profile apt-key @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index a04bd459a..403573a9d 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup index 3500ead6c..ccf56a603 100644 --- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup +++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index f8eca9dfb..6a261aab9 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 461edace9..4e0fea86f 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 8613f2280..89cf63067 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile apt-listchanges @{exec_path} { # shared object file): ignored. @{bin}/dpkg-deb rpx, # - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, # Send results using email @{bin}/exim4 rPx, @@ -83,12 +83,11 @@ profile apt-listchanges @{exec_path} { capability dac_read_search, #capability sys_tty_config, - @{bin}/sensible-pager mr, + @{pager_path} mrix, @{bin}/ r, @{sh_path} rix, @{bin}/which{,.debianutils} rix, - @{bin}/less rix, owner @{HOME}/.less* rw, @@ -98,6 +97,7 @@ profile apt-listchanges @{exec_path} { /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index f76159e78..4af469c30 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 222f7540c..9cf47e758 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 2cd44be7b..6d906bf80 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index ef49d144f..6d3e9d408 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index d57cc71f2..47c679ea1 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index e2a7ed2b7..4b2a15773 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 72b39e719..0638120ba 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 31656857f..5acecd67a 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index e5dc4d609..85da35efc 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index bf51e32f7..95d70b31f 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index a3d2ce33a..4c414f07c 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index fb567a5ef..4ba9e57d7 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile apt-overlay @{exec_path} { owner @{bin}/env r, @{lib}/ruby/{,**} r, - @{lib}/locale/locale-archive r, @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, /usr/share/rubygems-integration/{,**} r, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index b060e0a12..7885afca4 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-sortpkgs b/apparmor.d/groups/apt/apt-sortpkgs index 56162c9d2..af5ec2ef0 100644 --- a/apparmor.d/groups/apt/apt-sortpkgs +++ b/apparmor.d/groups/apt/apt-sortpkgs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 7ebb4da0b..04907876e 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} { /var/backups/ r, /var/backups/apt.extended_states rw, /var/backups/apt.extended_states.@{int} rw, - /var/backups/apt.extended_states.@{int}.gz w, + /var/backups/apt.extended_states.@{int}.gz rw, /var/cache/apt/ r, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 12bd0efb1..972123a06 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -105,7 +105,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download rwk, - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, # For aptitude-run-state-bundle owner @{tmp}/aptitudebug.*/ r, @@ -171,20 +171,19 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{bin}/sensible-pager mr, - @{sh_path} rix, + @{bin}/ r, + @{editor_path} mrix, + @{sh_path} rix, @{bin}/which{,.debianutils} rix, - @{bin}/less rix, owner @{HOME}/.less* rw, - owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, # For shell pwd /root/ r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index 039de3095..91a47110a 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index a81c3dafb..c700e325f 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index 9119e243c..fa3a45315 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 00818d011..e6c0fdee6 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 31b55a24e..4ddcca5ca 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,6 +46,7 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { /etc/shadow r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index 709e76f1f..b00cecd1b 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan index 76068b32d..236069e99 100644 --- a/apparmor.d/groups/apt/deborphan +++ b/apparmor.d/groups/apt/deborphan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ab391f72e..ee29b4923 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 7ed318aa7..b2f72f6cd 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index ee371bee8..01e9ac152 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index dff64bed3..8bda4efff 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index b8e577833..dd87414bf 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,10 +34,7 @@ profile dpkg @{exec_path} { @{lib}/needrestart/dpkg-status rPx, /usr/share/debian-security-support/check-support-status.hook rPx, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + @{pager_path} rPx -> child-pager, # Package maintainer's scripts # Move it to a child profile once more transitions will be available diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index ce6dfe8d5..a58257271 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -45,6 +45,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 39271db07..e7558acdf 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 8c2ff03cf..e7542aadd 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 6f9c2600b..4fedbcd5f 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index a770662a7..6712b8b7c 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 47d7f6ece..4e22ecf19 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 27991261c..73be1b913 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index d57d3d42d..cf957ab4f 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,g,m}awk rix, @{bin}/cat rix, @{bin}/dialog rix, + @{bin}/expr rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/sort rix, diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index f8150cc37..e0f4dbcdf 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,7 @@ profile dpkg-query @{exec_path} { @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 551b84c03..e307e9867 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger index 3aa674d0b..547123cf2 100644 --- a/apparmor.d/groups/apt/dpkg-trigger +++ b/apparmor.d/groups/apt/dpkg-trigger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index 5a786e815..aee717257 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index ba91e898a..5c46246a2 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,7 +33,7 @@ profile querybts @{exec_path} { @{bin}/stty rix, @{bin}/ldconfig rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-browsers, @{bin}/dpkg rPx -> child-dpkg, @@ -46,41 +46,14 @@ profile querybts @{exec_path} { /etc/dpkg/origins/ r, /etc/dpkg/origins/debian r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, /var/lib/dbus/machine-id r, /etc/machine-id r, - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e7b8e1d29..dfc578117 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -47,10 +47,8 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/less rPx -> child-pager, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open /usr/share/bug/* rPUx, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index fcfa2ef7c..4189c7170 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -3,181 +3,118 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include - include - include - include - include include + include + include include - # To remove the following errors: - # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - - # Item::QueueURI (1: Operation not permitted) - capability fowner, - - # To remove the following errors: - # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory - # (1: Operation not permitted) capability chown, - - # To remove the following errors: - # E: setgroups 65534 failed - setgroups (1: Operation not permitted) - # E: setegid 65534 failed - setegid (1: Operation not permitted) - # E: seteuid 100 failed - seteuid (1: Operation not permitted) - # E: setgroups 0 failed - setgroups (1: Operation not permitted) - capability setuid, - capability setgid, - - # To remove the following errors: - # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - - # PrepareFiles (13: Permission denied) - # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) - capability dac_read_search, - - # To remove the following errors: - # E: Failed to fetch https://**.deb rename failed, Permission denied - # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). - # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? capability dac_override, - - # Needed? (##FIXME##) - capability kill, + capability dac_read_search, + capability fowner, capability fsetid, - deny capability net_admin, - deny capability sys_nice, + capability kill, + capability net_admin, + capability setgid, + capability setuid, + capability sys_nice, - signal (send) peer=apt-methods-*, + signal send peer=apt-methods-*, @{exec_path} mr, @{sh_path} rix, @{bin}/{,e,f}grep rix, - @{bin}/test rix, @{bin}/echo rix, - - # For update-apt-xapian-index - @{bin}/nice rix, @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/test rix, - # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Synaptic works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - deny @{bin}/gdbus rx, - - @{bin}/ps rPx, - @{bin}/dpkg rPx, + @{bin}/adequate rPx, + @{bin}/appstreamcli rPx, @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{bin}/deborphan rPx, @{bin}/debtags rPx, + @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/appstreamcli rPx, - @{bin}/adequate rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/pkexec rCx -> pkexec, + @{bin}/ps rPx, + @{bin}/software-properties-gtk rPx, + @{bin}/tasksel rPx, + @{bin}/update-apt-xapian-index rPx, @{bin}/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, - @{bin}/update-apt-xapian-index rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/deborphan rPx, - @{bin}/tasksel rPx, - @{bin}/pkexec rPx, - @{bin}/software-properties-gtk rPx, # Methods to use to download packages from the net @{lib}/apt/methods/* rPx, - /var/lib/apt/lists/** rw, - /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, + /usr/share/synaptic/{,**} r, /etc/apt/apt.conf.d/99synaptic rw, + # For editing the sources.list file + /etc/apt/sources.list rwk, + /etc/apt/sources.list.d/ r, + /etc/apt/sources.list.d/*.list rw, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + /var/log/apt/eipp.log.xz w, /var/log/apt/{term,history}.log w, - # For editing the sources.list file - /etc/apt/sources.list.d/ r, - /etc/apt/sources.list.d/*.list rw, - /etc/apt/sources.list rwk, - - /var/lib/apt-xapian-index/index r, + /var/cache/apt/ r, + /var/cache/apt/** rwk, /var/cache/apt-xapian-index/index.[0-9]/*.glass r, /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/lib/apt-xapian-index/index r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + + owner @{HOME}/.synaptic/ rw, + owner @{HOME}/.synaptic/** rwk, /tmp/ r, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, - /var/cache/apt/ r, - /var/cache/apt/** rwk, - - /usr/share/synaptic/{,**} r, - owner @{HOME}/.synaptic/ rw, - owner @{HOME}/.synaptic/** rwk, @{run}/synaptic.socket w, - @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - # To remove the following error: - # Internal Error: impossible to fork children. Synaptics is going to stop. Please report. - # errorcode: 2 - /dev/ptmx rw, - - /etc/fstab r, - - # Synaptic is a GUI app started by root, so without "owner" - @{HOME}/.Xauthority r, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - # file_inherit + /dev/ptmx rw, owner /dev/tty@{int} rw, + deny @{bin}/dbus-launch x, + deny @{bin}/dbus-send x, + deny @{bin}/gdbus x, deny @{user_share_dirs}/gvfs-metadata/{*,} r, - profile dbus { + profile pkexec { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index f5caa7b65..e4f6b61ea 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -100,7 +100,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/log/apt/{term,history}.log w, /var/log/apt/eipp.log.xz w, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 65f8a30d2..cd35bb5ae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { owner /var/log/unattended-upgrades/*.log* rw, + owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, - owner @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 80b5d0fab..15af33d88 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index 8d18f1a75..a6e724214 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3c7bfdf05..47c22d72d 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} { include dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser + interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} peer=(name=:*, label=avahi-daemon), diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish index 92f02d6d5..490303443 100644 --- a/apparmor.d/groups/avahi/avahi-publish +++ b/apparmor.d/groups/avahi/avahi-publish @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 459bc57da..ff2cae183 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index de986c7bc..dd9eaba6c 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index a47652600..cc3d18b58 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = brave{,-beta,-dev,-bin} -@{domain} = com.brave.Brave +@{domain} = com.brave.Brave org.chromium.Chromium @{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}} @{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @@ -34,21 +34,14 @@ profile brave @{exec_path} { /etc/opt/chrome/native-messaging-hosts/* r, owner @{user_config_dirs}/BraveSoftware/ rw, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, owner @{tmp}/net-export/ rw, # For brave://net-export/ - owner @{tmp}/.org.chromium.Chromium.* rwk, - owner @{tmp}/.org.chromium.Chromium*/{,**} rw, - - owner /dev/shm/.org.chromium.Chromium.* rw, - # Silencer + deny /etc/opt/ w, deny /etc/opt/chrome/ w, deny /dev/disk/by-uuid/ r, diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler index 2bfe2ff94..ae90c734e 100644 --- a/apparmor.d/groups/browsers/brave-crashpad-handler +++ b/apparmor.d/groups/browsers/brave-crashpad-handler @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox index 7928b1385..8ab3dd522 100644 --- a/apparmor.d/groups/browsers/brave-sandbox +++ b/apparmor.d/groups/browsers/brave-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index f1127d860..b4f70689c 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 93413c25c..9c11f0a4a 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/google-@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chrome @{exec_path} { +profile chrome @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler index 67c0d0e8d..ea3d7d64a 100644 --- a/apparmor.d/groups/browsers/chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chrome-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox index 709f57bc8..eceec9f89 100644 --- a/apparmor.d/groups/browsers/chrome-sandbox +++ b/apparmor.d/groups/browsers/chrome-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 8e9e1ba5d..709eb79a1 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index eb0d87f4f..658dee398 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chromium @{exec_path} { +profile chromium @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index 2bac71620..8d6ab2461 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index b07828e3b..98ebf5b62 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index 0a5017727..dea35ae1a 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -3,14 +3,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chromium -profile chromium-wrapper @{exec_path} { +profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} r, @@ -39,11 +40,8 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{tmp}/chromiumargs.@{rand6} rw, - owner @{tmp}/tmp.*/ rw, - owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, - /dev/dri/card[0-9] rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator index ec343816d..e6f8902dd 100644 --- a/apparmor.d/groups/browsers/ephy-profile-migrator +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index be42cb9a0..98f21f472 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -33,16 +32,21 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{open_path} rPx -> child-open, + @{bin}/bwrap rix, @{bin}/xdg-dbus-proxy rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + /usr/share/enchant*/{,**} r, + owner /bindfile@{rand6} rw, - owner /.flatpak-info r, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, + owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, @@ -64,7 +68,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 41ce67746..27eb0d54d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,21 +16,27 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include + include + include - signal (send) set=(term, kill) peer=keepassxc-proxy, + signal send set=(term, kill) peer=firefox//&keepassxc-proxy, #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, - @{lib}/mozilla/plugins/libvlcplugin.so mr, + @{lib}/mozilla/plugins/*.so mr, # Desktop integration @{bin}/gnome-software rPx, - @{bin}/kreadconfig5 rix, + @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @@ -40,8 +46,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # Common extensions /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, @{bin}/browserpass rPx, - # As a temporary solution - see issue #128 - @{bin}/keepassxc-proxy rix, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -57,14 +62,16 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand6}.tmp r, owner @{tmp}/@{rand8}.txt w, owner @{tmp}/* w, # file downloads (to anywhere) - owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, + + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 5223486d0..1c418eef4 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f2526292b..97e5645b9 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = firefox{,.sh,-esr,-bin} +@{name} = firefox{,-esr,-bin} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @@ -16,15 +17,21 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, + owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, + owner @{config_dirs}/firefox/*/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index d23d94bb8..efcad72f8 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,9 @@ include profile firefox-kmozillahelper @{exec_path} { include include - include include + include + include include include include @@ -24,29 +25,21 @@ profile firefox-kmozillahelper @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, /etc/xdg/menus/ r, /etc/xdg/menus/applications-merged/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kdeglobals.@{rand6} rwl, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/searchproviders/ r, owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 08cfc081a..6e13ee872 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 94dacaf2c..4c86af87a 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index c7a11b75b..b326d14b4 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 785a7f547..36069d36f 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index 41f8bb3cc..f616df6c6 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile msedge @{exec_path} { @{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handler b/apparmor.d/groups/browsers/msedge-crashpad-handler index 9ac6cec22..67e8212ff 100644 --- a/apparmor.d/groups/browsers/msedge-crashpad-handler +++ b/apparmor.d/groups/browsers/msedge-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox index 6424e7bd0..2d4dcdd3e 100644 --- a/apparmor.d/groups/browsers/msedge-sandbox +++ b/apparmor.d/groups/browsers/msedge-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 5fbb9b8f2..8268db2e1 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 33ce558d3..54cc05481 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 7b7d6b8d5..01661215a 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index 4dc591aa3..bebe0a902 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/browsers/torbrowser similarity index 69% rename from apparmor.d/groups/whonix/torbrowser rename to apparmor.d/groups/browsers/torbrowser index 0ec13ed51..5068886c3 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/browsers/torbrowser @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/firefox{,.real} @@ -17,10 +17,19 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include + # Uncomment if you want to give the Tor Browser access to the common download directory. + # include + @{exec_path} mrix, - @{lib_dirs}/abicheck rix, - @{lib_dirs}/updater rPx, + @{lib_dirs}/abicheck ix, + @{lib_dirs}/glxtest Px -> torbrowser//&torbrowser-glxtest, + @{lib_dirs}/updater Px, + @{lib_dirs}/vaapitest Px -> torbrowser//&torbrowser-vaapitest, + + #aa:exclude whonix + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** Px -> torbrowser-tor, + @{lib_dirs}/TorBrowser/Tor/tor Px -> torbrowser-tor, /usr/share/homepage/{,**} r, @@ -33,14 +42,18 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, + owner @{tmp}/@{rand8}.* rw, + owner @{tmp}/mozilla_pc@{int}/ rw, + owner @{tmp}/mozilla_pc@{int}/* rwk, # Due to the nature of the browser, we silence much more than for Firefox. + deny capability sys_ptrace, deny network inet dgram, # TOR does not work over UDP deny network inet6 dgram, + deny network inet6 stream, # TOR does not work over IPv6 deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user, deny @{bin}/lsb_release x, deny @{lib_dirs}/crashreporter x, - deny @{lib_dirs}/glxtest x, deny @{lib_dirs}/minidump-analyzer x, deny @{lib_dirs}/pingsender x, deny /usr/share/dconf/** r, @@ -56,6 +69,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny /etc/passwd r, deny /etc/resolv.conf r, deny /var/lib/dbus/machine-id r, + deny owner @{HOME}/ r, deny owner @{user_config_dirs}/dconf/user r, deny owner @{user_config_dirs}/gtk-*/{,**} rw, deny owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest similarity index 65% rename from apparmor.d/groups/whonix/torbrowser-glxtest rename to apparmor.d/groups/browsers/torbrowser-glxtest index cbc009db1..4939edfbf 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -2,31 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/glxtest -profile torbrowser-glxtest @{exec_path} { +profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include include + include @{exec_path} mr, - owner @{config_dirs}/.parentlock rw, - - owner @{tmp}/@{name}/.parentlock rw, - owner @{PROC}/@{pid}/cmdline r, + deny @{config_dirs}/.parentlock rw, + include if exists } diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher new file mode 100644 index 000000000..343d3e0d0 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{bin}/torbrowser-launcher +profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + network netlink raw, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/file ix, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/grep ix, + @{bin}/sed ix, + @{bin}/tail ix, + + @{lib_dirs}/execdesktop ix, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix, + + /usr/share/file/** r, + /usr/share/torbrowser-launcher/{,**} r, + + owner @{user_cache_dirs}/torbrowser/{,**/} rw, + owner @{user_cache_dirs}/torbrowser/download/** rw, + owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw, + + owner @{user_config_dirs}/torbrowser/{,**/} rw, + owner @{user_config_dirs}/torbrowser/settings.json rw, + + owner @{user_share_dirs}/torbrowser/{,**} rw, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/tty rw, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/gpg-agent ix, + @{lib}/{,gnupg/}scdaemon ix, + + owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + + owner @{user_share_dirs}/torbrowser/ r, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/browsers/torbrowser-plugin-container similarity index 77% rename from apparmor.d/groups/whonix/torbrowser-plugin-container rename to apparmor.d/groups/browsers/torbrowser-plugin-container index 9fcb1bd3d..88abc411c 100644 --- a/apparmor.d/groups/whonix/torbrowser-plugin-container +++ b/apparmor.d/groups/browsers/torbrowser-plugin-container @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/plugin-container diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start new file mode 100644 index 000000000..58bb31ac8 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{lib_dirs}/start-tor-browser +profile torbrowser-start @{exec_path} { + include + include + + @{exec_path} rm, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/expr ix, + @{bin}/file ix, + @{bin}/getconf ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/srm ix, + + @{lib_dirs}/abicheck ix, + @{lib_dirs}/firefox{,.real} Px -> torbrowser, + + /usr/share/file/** r, + + /etc/magic r, + + owner @{lib_dirs}/.config/ibus/{,**} rw, + owner @{lib_dirs}/.local/* rw, + owner @{lib_dirs}/sed@{rand6} rw, + owner @{lib_dirs}/TorBrowser/Tor/tor r, + + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw, + + owner @{HOME}/.xsession-errors rw, + owner @{HOME}/.tb/tor-browser/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor new file mode 100644 index 000000000..73a111206 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-tor @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ + +@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor +profile torbrowser-tor @{exec_path} { + include + include + include + + network inet stream, + network netlink raw, + + @{exec_path} mr, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/TorBrowser/Tor/*.so* m, + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** mix, + + owner @{data_dirs}/Tor/ rw, + owner @{data_dirs}/Tor/** rw, + owner @{data_dirs}/Tor/lock rwk, + + /tmp/onionshare/** rw, # OnionShare compatibility + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/net/core/somaxconn r, + + deny /etc/group r, + deny /etc/host.conf r, + deny /etc/hosts r, + deny /etc/machine-id r, + deny /etc/mailcap r, + deny /etc/nsswitch.conf r, + deny /etc/os-release r, + deny /etc/passwd r, + deny /etc/resolv.conf r, + deny /etc/services r, + deny /var/lib/dbus/machine-id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater similarity index 74% rename from apparmor.d/groups/whonix/torbrowser-updater rename to apparmor.d/groups/browsers/torbrowser-updater index 4f0e16823..a5c1e7cc3 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater +++ b/apparmor.d/groups/browsers/torbrowser-updater @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{exec_path} = @{lib_dirs}/updater profile torbrowser-updater @{exec_path} { @@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} { @{exec_path} mr, @{lib_dirs}/*.so mr, - @{lib_dirs}/firefox{,.real} rPx, + @{lib_dirs}/firefox{,.real} Px -> torbrowser, owner @{lib_dirs}/{,**} rw, owner @{tmp}/#@{int} rw, - deny owner @{lib_dirs}/Downloads/** rw, - include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest similarity index 58% rename from apparmor.d/groups/whonix/torbrowser-vaapitest rename to apparmor.d/groups/browsers/torbrowser-vaapitest index d29d1265a..37ea80f91 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/browsers/torbrowser-vaapitest @@ -2,18 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/vaapitest -profile torbrowser-vaapitest @{exec_path} { +profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) { include include @@ -21,11 +21,10 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner @{tmp}/@{name}/.parentlock rw, - + deny @{lib_dirs}/{,browser/}omni.ja r, + deny @{cache_dirs}/profile.default/startupCache/* r, deny @{config_dirs}/.parentlock rw, - deny @{config_dirs}/startupCache/** r, - deny @{user_cache_dirs}/startupCache/* r, + deny @{config_dirs}/extensions/*.xpi r, include if exists } diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 2b0ac0475..8ead7a4e0 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -3,13 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,24 +18,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, - #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=:*), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + #aa:dbus own bus=accessibility name=org.a11y.atspi + #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -43,8 +28,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index dc4ded9cd..1a4b83e2e 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,11 +17,16 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, - dbus bus=accessibility, - + #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=session @@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth_@{rand6} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @@ -57,14 +65,13 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/attr/apparmor/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/oom_score_adj r, include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index e5e382795..ecec3cb49 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -4,10 +4,10 @@ # Profile for session dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-system". It is intended to be used only via "Px ->" or via +# "dbus-system". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include @@ -18,20 +18,19 @@ profile dbus-session flags=(attach_disconnected) { include include include + include include network unix stream, unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - signal (receive) set=(term hup) peer=gdm-session-worker, - signal (receive) set=(term hup) peer=gdm-session, - signal (receive) set=(term hup) peer=gdm, + signal (receive) set=(term hup) peer=gdm{,-*}, signal (send) set=(term hup kill) peer=dbus-accessibility, signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - dbus bus=session, + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} @{exec_path} mrix, @@ -51,6 +50,9 @@ profile dbus-session flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + # Dbus can receive any user files + owner @{HOME}/** r, + owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, @@ -64,7 +66,7 @@ profile dbus-session flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index f001c27b7..3b8a1e143 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -7,7 +7,7 @@ # "dbus-session". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include @@ -15,8 +15,9 @@ include @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-system flags=(attach_disconnected) { include - include include + include + include include capability audit_write, @@ -32,7 +33,7 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - dbus bus=system, + #aa:dbus own bus=system name=org.freedesktop.DBus @{exec_path} mrix, @@ -48,14 +49,17 @@ profile dbus-system flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{desktop_share_dirs}/icc/ r, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/ r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/ r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/ r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - @{run}/systemd/inhibit/*.ref rw, + # Dbus can receive any user files + @{HOME}/** r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, @@ -66,14 +70,15 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/oom_score_adj r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 52707ff63..dca91e5f2 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index f45474e45..8746e3795 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 250ffafbd..ab3b2b2fd 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index ea39af4be..5182b0dca 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 27b7613d5..34d881a8a 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 66fef2950..0a8d7bdab 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=ibus-daemon, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 9c779eb72..5d96f359e 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,20 +14,16 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus bind bus=session name=org.freedesktop.portal.IBus, + #aa:dbus own bus=session name=org.freedesktop.portal.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=:*, label=ibus-daemon), - @{exec_path} mr, + owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 44bb611fe..1096594aa 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,14 +17,15 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - unix (connect, receive, send) type=stream peer=(label=ibus-daemon), - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + # unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -32,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index a90f2a85b..24df581f9 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -9,7 +9,7 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 227b92249..6ea41a9e8 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index fb91234b0..315a5bf07 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -12,13 +12,14 @@ # intended to be used only via "Px -> child-modprobe-nvidia" exec transitions # from other profiles. -abi , +abi , include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include + include include capability chown, @@ -53,8 +54,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, - /dev/tty@{int} rw, - deny @{HOME}/.steam/** r, profile kmod { @@ -62,13 +61,9 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { include capability mknod, - # capability sys_module, /etc/nvidia/{current,legacy*,tesla*}/*.conf r, - # @{sys}/module/ipmi_devintf/initstate r, - # @{sys}/module/ipmi_msghandler/initstate r, - # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, deny @{HOME}/.steam/** r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 9b34f319e..6804326aa 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -15,7 +15,7 @@ # intended to be used only via "Px -> child-open" exec transitions # from other profiles. -abi , +abi , include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any new file mode 100644 index 000000000..58847a3e3 --- /dev/null +++ b/apparmor.d/groups/children/child-open-any @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open allows to open any programs. + +abi , + +include + +profile child-open-any flags=(attach_disconnected) { + include + include + + @{open_path} mr, + + @{sh_path} r, + + @{bin}/** PUx, + @{lib}/** PUx, + @{user_bin_dirs}/** PUx, + /opt/*/** PUx, + /usr/local/bin/** PUx, + /usr/share/** PUx, + + @{bin}/ r, + @{user_bin_dirs}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, + + /dev/tty rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index e3da8f38d..6873ea2fc 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -11,7 +11,7 @@ # intended to be used only via "Px -> child-open-browsers" exec transitions # from other profiles. -abi , +abi , include diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index 23f9beade..d70cd920a 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index cea3dc5e0..98bbdcdb9 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -7,7 +7,7 @@ # This version of child-open only allow to open browsers & folders. -abi , +abi , include @@ -15,8 +15,8 @@ profile child-open-strict { include include - @{browsers_path} rPx, - @{file_explorers_path} rPx, + @{browsers_path} Px, + @{file_explorers_path} Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index ebaf6724d..4f9edd9ea 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -9,12 +9,12 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include @{exec_path} = @{bin}/pager @{bin}/less @{bin}/more -profile child-pager { +profile child-pager flags=(attach_disconnected) { include include @@ -27,6 +27,7 @@ profile child-pager { @{exec_path} mr, @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, @{HOME}/.lesshst r, @@ -37,6 +38,8 @@ profile child-pager { owner @{user_state_dirs}/ r, owner @{user_state_dirs}/lesshs* rw, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index d9657a627..6dd9afd4a 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is # used in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined index 1d07d7c16..c4d3c9fed 100644 --- a/apparmor.d/groups/children/user_confined +++ b/apparmor.d/groups/children/user_confined @@ -5,7 +5,7 @@ # Allow confined users to read, write, lock and link to their own files # anywhere, and execute from some places. -abi , +abi , include diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default index 4b010d22c..2853a8deb 100644 --- a/apparmor.d/groups/children/user_default +++ b/apparmor.d/groups/children/user_default @@ -6,7 +6,7 @@ # but only write to files in their home directory. Only allow limited execution # of files. -abi , +abi , include diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined index ea40d67bf..db410d6a2 100644 --- a/apparmor.d/groups/children/user_unconfined +++ b/apparmor.d/groups/children/user_unconfined @@ -2,12 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - capability, network, mount, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index a1a04dfa3..7c57f9468 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty rw, @@ -73,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index ccce517a9..15d1b9737 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index e521016cb..61aeaf881 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 51057f47f..29294fa53 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -70,9 +70,6 @@ profile cron-apt @{exec_path} { /var/log/cron-apt/mail rw, /var/log/cron-apt/lastfullmessage rw, - # For the "ls" command - @{lib}/locale/locale-archive r, - # TMP /tmp/ r, owner @{tmp}/cron-apt.*/ rw, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 5c0c8054a..2aaa6b142 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs index 6415e66b1..1b3f40d87 100644 --- a/apparmor.d/groups/cron/cron-apt-listbugs +++ b/apparmor.d/groups/cron/cron-apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,6 +33,7 @@ profile cron-apt-listbugs @{exec_path} { /var/spool/apt-listbugs/lastprefclean rw, + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions index 460a98d7e..213ed194f 100644 --- a/apparmor.d/groups/cron/cron-apt-show-versions +++ b/apparmor.d/groups/cron/cron-apt-show-versions @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 335576536..2c3f90a9a 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 5769edadf..76657dc94 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index 5bc3aed32..8a87bd2af 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums index 6ca80c582..46a3bbe07 100644 --- a/apparmor.d/groups/cron/cron-debsums +++ b/apparmor.d/groups/cron/cron-debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,13 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/true rix, + @{bin}/{,e}grep rix, + @{bin}/debsums rPx, + @{bin}/ionice rix, @{bin}/logger rix, @{bin}/sed rix, - @{bin}/{,e}grep rix, - - @{bin}/ionice rix, - - @{bin}/debsums rPx, @{bin}/tee rCx -> tee, + @{bin}/true rix, /etc/ r, /etc/default/debsums r, @@ -31,18 +29,17 @@ profile cron-debsums @{exec_path} { # For shell pwd / r, - profile tee { include include - # Needed to write to /proc/self/fd/3 capability dac_override, @{bin}/tee mr, - owner @{PROC}/@{pid}/fd/3 rw, + owner @{PROC}/@{pid}/fd/@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index ce32b715e..3e6c182a7 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-dlocate b/apparmor.d/groups/cron/cron-dlocate index fa4b03f8d..9599b6b4d 100644 --- a/apparmor.d/groups/cron/cron-dlocate +++ b/apparmor.d/groups/cron/cron-dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper index 36e105eb6..28a845cfe 100644 --- a/apparmor.d/groups/cron/cron-etckeeper +++ b/apparmor.d/groups/cron/cron-etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 8fdfb9126..42f2f0823 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 6f569d364..601368446 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index 723ffe0d8..abe3542f6 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 941f2ef11..8629f7be2 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 9ee08974a..852e85141 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index ebc53dcf2..17ab7f745 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -2,7 +2,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index bae69e971..7080658c3 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 3d25fecff..dd50a7494 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} { owner @{tmp}/#@{int} rw, # file_inherit - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat index 064ebc792..4ca22b6a1 100644 --- a/apparmor.d/groups/cron/cron-sysstat +++ b/apparmor.d/groups/cron/cron-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 3490199a1..bfd4158ad 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -3,35 +3,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include + include include include + capability audit_write, + capability chown, + capability dac_read_search, + capability net_admin, capability setgid, capability setuid, + network netlink raw, + @{exec_path} mr, @{sh_path} rix, - - # When editing the crontab file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, /etc/cron.{allow,deny} r, + /etc/environment r, /etc/pam.d/* r, + /etc/security/*.conf r, - /var/spool/cron/ r, - /var/spool/cron/crontabs/ rw, - owner /var/spool/cron/crontabs/* rw, + /var/spool/cron/ r, + /var/spool/cron/** rw, - owner @{tmp}/crontab.*/{,crontab} rw, + owner @{user_cache_dirs}/crontab/crontab.bak rw, + + @{tmp}/crontab.@{rand6}/{,crontab} rwl, profile editor { include @@ -42,7 +49,8 @@ profile crontab @{exec_path} { /etc/cron.{allow,deny} r, /tmp/ r, - owner @{tmp}/crontab.*/crontab rw, + owner @{tmp}/crontab.@{rand6}/crontab rw, + owner @{tmp}/crontab.@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 3c66936d0..04accbbf0 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/display-manager/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter index 60fab17a2..e0f5f02f2 100644 --- a/apparmor.d/groups/display-manager/lightdm-gtk-greeter +++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile lightdm-gtk-greeter @{exec_path} { @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, /usr/share/backgrounds/xfce/{,**} r, - /usr/share/desktop-base/{,**} r, /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession index 14df741df..69a49eecf 100644 --- a/apparmor.d/groups/display-manager/lightdm-xsession +++ b/apparmor.d/groups/display-manager/lightdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 6d95290c8..d2f005264 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 6278d2ac7..687e0e920 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,22 +18,26 @@ profile xdm-xsession @{exec_path} { @{shells_path} rix, - @{bin}/checkproc rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/checkproc rix, @{bin}/dirname rix, + @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, @{bin}/grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/sed rix, @{bin}/ssh-agent rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/whoami rix, + @{bin}/xmodmap rPUx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @@ -51,11 +55,12 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, - @{HOME}/.xinitrc rPix, + @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, + /usr/share/terminfo/{,**} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, @@ -70,6 +75,7 @@ profile xdm-xsession @{exec_path} { /etc/sysconfig/* r, owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{user_share_dirs}/sddm/xorg-session.log rw, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 4f2e8b64c..539a2a57d 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, #aa:dbus own bus=system name=org.freedesktop.Accounts @@ -58,24 +58,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/shells r, /etc/sysconfig/displaymanager r, + /var/log/wtmp r, + owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, @{HOME}/ r, owner @{HOME}/.pam_environment r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pids}/loginuid r, - @{PROC}/@{pids}/cmdline r, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/loginuid r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - - # wtmp.d ? - /var/log/wtmp r, - - owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 418864a6f..ffdfe08a0 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,10 +49,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{desktop_share_dirs}/icc/edid-*.icc r, - @{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, + @{att}/@{user_share_dirs}/icc/edid-*.icc r, - @{run}/systemd/journal/socket rw, @{run}/systemd/sessions/* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index e61063bda..16c109970 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index 0b1d0ead3..b9811b1a6 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,7 +32,7 @@ profile cpupower @{exec_path} { @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw, - @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state[0-9]/disable rw, + @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, @@ -40,7 +40,6 @@ profile cpupower @{exec_path} { /dev/cpu/@{int}/msr r, - profile kmod { include include diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 6abd28da3..be4972f04 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index 00d6553ec..3fdbb8b65 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 120ff3920..ccebcad74 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install index 269a6b39a..aa9ccae1b 100644 --- a/apparmor.d/groups/freedesktop/desktop-file-install +++ b/apparmor.d/groups/freedesktop/desktop-file-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 3fbd77be0..c74ad2958 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index cd31a79de..3f2fb4e02 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index e5d86092a..ec1633a9e 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -41,8 +41,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, /var/lib/dbus/machine-id r, - @{run}/systemd/journal/socket rw, - @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index c8ab6b2b8..d7122bdbb 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index bdadeabe3..f6f4c12aa 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -44,8 +44,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, - / r, - /.flatpak-info r, + / r, + @{att}/ r, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index f316df3b0..212898a84 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index a0026b4e1..530fa97db 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - / r, - /.flatpak-info r, + @{att}/ r, + owner @{att}/.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, owner @{tmp}/librnnoise-@{int}.so rm, diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index 278c09aea..327eca3e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index e5440d614..bd5a34dcd 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 815375f20..8e5933073 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index d6265589f..bb6e457ff 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 71709ed4f..94bc7ece6 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 7754ee09f..7ca73cd63 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,12 +31,12 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /etc/machine-id r, + /etc/xdg/plasmarc r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**, diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 762882b74..0dfea7525 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,13 +11,9 @@ include profile polkit-mate-authentication-agent @{exec_path} { include include - include - include + include include - include - include - include - include + include include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -26,19 +22,15 @@ profile polkit-mate-authentication-agent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /usr/share/X11/xkb/** r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - owner @{HOME}/.Xauthority r, - - owner /dev/tty@{int} rw, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 2533b1982..089e61744 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 0bb878ab6..804020b7b 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -78,12 +78,15 @@ profile pulseaudio @{exec_path} { /etc/pulse/{,**} r, + / r, + owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, + owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index e070bff2f..ebf0ad6a3 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-desktop-database profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 778af218c..9efd9cccc 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0428aebfc..1cb7c9583 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 92e6148b3..f832d285e 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,13 +34,14 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+serio:* r, # for serial mice @{run}/udev/data/+power_supply* r, @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/hid/devices/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index dea66efb8..e51f21e1e 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,14 +17,13 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include include network unix stream, dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), @{exec_path} mr, @@ -31,6 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index 7379369e1..ba699bdbd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -2,15 +2,45 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-icon profile xdg-desktop-icon @{exec_path} { include + include - @{exec_path} mr, + @{exec_path} r, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + + # To get DE information + @{bin}/kde{,4}-config ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index 4204c51d1..f86fbedc8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -3,44 +3,54 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-menu profile xdg-desktop-menu @{exec_path} flags=(complain) { include - include include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/mkdir rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/basename rix, - @{bin}/rm rix, - @{bin}/cp rix, - @{bin}/cat rix, - @{bin}/touch rix, - @{bin}/{m,g,}awk rix, - @{bin}/whoami rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/readlink rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/update-desktop-database rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw, - owner @{user_share_dirs}/applications/chrome-*.desktop rw, - owner @{HOME}/.gnome/apps/chrome-*.desktop rw, + @{bin}/dbus-send Cx -> bus, + @{bin}/update-desktop-database Px, + @{bin}/xprop Px, - /usr/share/applications/*.desktop rw, - /usr/share/*/*.desktop r, - - /usr/share/applications/defaults.list r, - /usr/share/applications/defaults.list.new w, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 59ef5a734..53218d821 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -20,13 +21,17 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include capability sys_ptrace, network netlink raw, - ptrace (read), + ptrace read, + + signal receive set=term peer=gdm, #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop @@ -34,19 +39,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=MakeThread* peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions - peer=(name=:*, label=NetworkManager), - #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=xdg-document-portal), - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - peer=(name=:*, label=xdg-document-portal), + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -62,23 +57,27 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/nautilus rPx, - @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{bin}/kreadconfig{,5} rPx, + @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - /.flatpak-info r, + / r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, + /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, - /var/lib/gdm{,3}/greeter-dconf-defaults r, + @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{gdm_config_dirs}/user-dirs.dirs r, - @{user_config_dirs}/kioslaverc r, + + @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{tmp}/icon* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 89135381c..e9bdfde1f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -2,18 +2,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include + include include include + include include include - include include include include @@ -30,47 +31,28 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { signal (receive) set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome - - dbus send bus=session path=/org/gnome/Shell/Screenshot - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=RunningApplicationsChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=GetAppState - peer=(name=:*, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus (send, receive) bus=session path=/org/gnome/Mutter/* - interface=org.gnome.Mutter.* - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gnome/Mutter/* - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell @{exec_path} mr, / r, @{bin}/ r, @{bin}/* r, + /opt/** r, /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, /usr/share/thumbnailers/{,**} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + owner @{desktop_config_dirs}/dconf/user r, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, + owner @{HOME}/* r, owner @{HOME}/*/{,**} rw, owner @{MOUNTS}/ r, @@ -85,8 +67,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/status r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c21b955d0..0daa77899 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gtk -profile xdg-desktop-portal-gtk @{exec_path} { +profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -27,7 +27,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + + signal receive set=term peer=gdm, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), @@ -53,10 +54,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{exec_path} mr, + /usr/share/gdm/greeter-dconf-defaults r, + / r, owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland new file mode 100644 index 000000000..876825ee4 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-hyprland +profile xdg-desktop-portal-hyprland @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/hyprland-share-picker rix, + @{bin}/sleep rix, + @{bin}/slurp rix, + + owner /tmp/hypr/ rw, + owner /tmp/hypr/\#@{int} rwkl, + owner /tmp/hypr/hyprland-share-picker.conf* rwkl, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index a5329097b..309248e18 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include @@ -26,14 +27,8 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/*.kcache r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kdeglobals{,.*} rwlk, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index a76f73b36..62adb343b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 2735c8633..a5e27c7d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -39,8 +40,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, - / r, - owner /.flatpak-info r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, owner @{HOME}/ r, owner @{HOME}/*/{,**} rw, @@ -56,10 +57,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - /dev/fuse rw, - owner /dev/tty@{int} rw, + /dev/fuse rw, - profile fusermount { + profile fusermount flags=(attach_disconnected) { include include @@ -83,7 +83,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/mounts r, /dev/fuse rw, - owner /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index da457a0fe..cf580ceac 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -3,32 +3,51 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-email profile xdg-email @{exec_path} flags=(complain) { include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cut rix, - @{bin}/echo rix, - @{bin}/gio rPx, - @{bin}/kreadconfig5 rPx, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xdg-mime rPx, - @{thunderbird_path} rPx, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tail ix, + @{bin}/tr ix, + @{bin}/uname ix, - owner /dev/tty@{int} rw, + # To get DE information + @{bin}/kde{,4}-config ix, + @{bin}/gconftool{,-2} ix, + @{bin}/qtxdg-mat ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, + @{open_path} Px -> child-open-email, + @{thunderbird_path} Px, + + profile bus flags=(complain) { + include + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 9ece71574..4f29d38a0 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,35 +11,43 @@ include profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/whoami rix, - @{bin}/sed rix, - @{bin}/basename rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/rm rix, - @{bin}/readlink rix, - @{bin}/touch rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + @{bin}/whoami ix, - @{bin}/gtk{,4}-update-icon-cache rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - /usr/share/**/icons/**.png r, - /usr/share/icons/**.png rw, - /usr/share/icons/*/.xdg-icon-resource-dummy rw, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/gtk{,4}-update-icon-cache Px, + @{bin}/xprop Px, - owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, - - owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, - owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, - /opt/**/*.png r, - - deny @{user_share_dirs}/gvfs-metadata/* r, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index c279c41ad..15b73a2d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -3,82 +3,69 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# TODO: This profile needs to be rewritten and integrated with the xdg-open profiles. - -abi , +abi , include @{exec_path} = @{bin}/xdg-mime profile xdg-mime @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/file rix, - @{bin}/head rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/gio rPx, - @{bin}/kbuildsycoca5 rPx, - @{bin}/ktraderclient5 rPUx, - @{bin}/mimetype rPx, - @{bin}/xprop rPx, + # To query DE information + @{bin}/gio ix, + @{bin}/gnomevfs-info ix, + @{bin}/gvfs-info ix, + @{bin}/kde{,4}-config ix, + @{bin}/kfile ix, + @{bin}/kmimetypefinder{,5} ix, + @{bin}/ktraderclient{,5} ix, + @{bin}/qtpaths ix, + @{bin}/qtxdg-mat ix, - /usr/share/file/misc/** r, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kbuildsycoca{,5} Px, + @{bin}/mimetype Px, + @{bin}/vendor_perl/mimetype Px, + @{bin}/xprop Px, - owner @{HOME}/** r, - owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{run}/user/@{uid}/ r, - - @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, - - /dev/dri/card@{int} rw, - /dev/tty rw, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{PROC}/version r, - # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Xdg-mime works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + /dev/tty rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - profile dbus { + profile bus flags=(complain) { include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - @{HOME}/.Xauthority r, - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + include + include + include + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index e7ee7dc8c..7893800d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -3,58 +3,48 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include + include include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/env ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/uname ix, - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - @{bin}/exo-open rPx, - @{bin}/gio rPx, - #@{bin}/kde-open5 rPUx, - @{bin}/ktraderclient5 rPUx, + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/xprop Px, + @{bin}/xdg-mime Px, + @{open_path} Px -> child-open-any, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, + @{PROC}/version r, - /** r, - owner /** rw, - - # freedesktop.org-strict - owner @{user_share_dirs}/applications/ r, - /usr/share/applications/*.desktop r, - - /dev/tty rw, - - profile dbus { + profile bus flags=(attach_disconnected) { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index f698111d4..298bc059d 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include include include @@ -41,12 +42,10 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/devices r, + owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index cee9898b5..c142d137d 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -3,42 +3,54 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-screensaver -profile xdg-screensaver @{exec_path} { +profile xdg-screensaver @{exec_path} flags=(complain) { include include + include @{exec_path} r, - @{bin}/ r, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/kill ix, + @{bin}/ln ix, + @{bin}/lockfile ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/perl ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/uname ix, + @{bin}/xautolock ix, - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + @{bin}/xset Px, + @{bin}/ps Px, + @{bin}/hostname Px, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, + profile bus flags=(complain) { + include + include + include - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, - @{bin}/xset rPx, - @{bin}/hostname rix, + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - /dev/dri/card@{int} rw, - - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth-@{int}-_[0-9] r, - - owner @{run}/user/@{uid}/ r, + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index a4d611712..870d4cfe4 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,53 +15,50 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/uname rix, - @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, - @{bin}/kreadconfig5 rPx, - @{bin}/xdg-mime rPx, - @{bin}/xprop rPx, + # To set/get DE information + @{bin}/gconftool{,-2} ix, + @{bin}/kde{,4}-config ix, + @{bin}/kwriteconfig{,5,6} ix, + @{bin}/qtxdg-mat ix, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, - /etc/xdg/xfce4/helpers.rc r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, + owner @{user_share_dirs}/applications/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, + @{PROC}/version r, - owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, + owner /dev/pts/@{int} rw, - owner @{run}/user/@{uid}/ r, - - owner @{PROC}/@{pid}/fd/ r, - - profile dbus { + profile bus flags=(complain) { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index 47184420b..f963a21b9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, @@ -18,8 +19,6 @@ profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.dirs r, - /dev/tty rw, - # Silencer deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 01a289533..8892bd1ce 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 4730ca091..7177703a9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 26b1bc598..6032179e4 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index ef719d673..dde1fe8c1 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -3,13 +3,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + include + include + include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @@ -27,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.@{int}.log w, /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w, + /var/log/Xorg.@{int}.log w, owner /var/log/lightdm/x-@{int}.log w, owner @{run}/user/@{uid}/server-@{int}.xkm rwk, @@ -36,10 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/fb@{int} rw, /dev/tty rw, - /dev/tty@{int} rw, - - deny /dev/input/event@{int} rw, - deny /var/log/Xorg.@{int}.log w, + /dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 378c81119..0f23d583c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/xkbcomp rPx, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, @{lib}/xorg/ r, @{lib}/xorg/modules/ r, @@ -87,6 +87,25 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad? + @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @@ -103,36 +122,28 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/ r, @{sys}/module/i915/{,**} r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? - @{run}/udev/data/+serio:* r, # for touchpad? - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, @{PROC}/ioports r, @{PROC}/mtrr rw, - /dev/fb[0-9] rw, + /dev/fb@{int} rw, /dev/input/event@{int} rw, + /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty@{int} rw, + /dev/udmabuf rw, /dev/vga_arbiter rw, # Graphic card modules + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index aaa19b998..f83afae61 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xprop profile xprop @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index 99e07a121..fc1935c4b 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 9bd897bee..55d069815 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile xrdb @{exec_path} { @{bin}/{,*-}cpp-[0-9]* rix, @{sh_path} rix, @{bin}/cpp rix, - @{lib}/gcc/@{multiarch}/@{int}*/cc1 rix, + @{lib}/gcc/@{multiarch}/@{version}/cc1 rix, @{lib}/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index ff09d2b1a..20dc2b1fb 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index db5d0a7aa..bc1291ef4 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index a4f98c096..05fb5a6fa 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term hup) peer=gdm*, @@ -35,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, /dev/tty rw, include if exists diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 9063afc57..8c6372ba5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 444fc581f..cc6645590 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index ca1213df9..88ec63ea7 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/epiphany-webapp-provider b/apparmor.d/groups/gnome/epiphany-webapp-provider index 7dda86245..c161a5a0c 100644 --- a/apparmor.d/groups/gnome/epiphany-webapp-provider +++ b/apparmor.d/groups/gnome/epiphany-webapp-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index de7c3c299..c6494c95f 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index a4c2c4a92..ce8f799bb 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,7 +34,6 @@ profile evolution-alarm-notify @{exec_path} { @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, - /usr/share/{,zoneinfo-}icu/{,**} r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index d1ec45ac4..f856a06d2 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 7c97acc2e..379ea5bef 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter index 560f2bdb0..d1c095abf 100644 --- a/apparmor.d/groups/gnome/evolution-user-prompter +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,8 @@ include profile evolution-user-prompter @{exec_path} { include include + include + include #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 7ecb4fb84..a1e323c87 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent index a6f0f22fd..24e94d9cb 100644 --- a/apparmor.d/groups/gnome/gcr-ssh-agent +++ b/apparmor.d/groups/gnome/gcr-ssh-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 2817f668e..b0f5e81a5 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index db1c43d84..dc11e8169 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, + @{bin}/pgrep rix, @{bin}/pkill rix, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/stat r, @{PROC}/uptime r, - profile pgrep { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index 5e4e02b6f..189e166f2 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -2,12 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default -profile gdm-defaut @{exec_path} flags=(complain) { +profile gdm-prime-defaut @{exec_path} flags=(complain) { include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index 26ce14234..558f3677c 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index da99a23db..4e3440656 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index c5b220145..4ca2b21b6 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -77,6 +77,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, + /etc/fscrypt.conf r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, @@ -93,8 +94,19 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /var/lib/wtmpdb/ r, /var/lib/wtmpdb/* rwk, + /.fscrypt/policies/ r, + /.fscrypt/protectors/ r, + owner /.fscrypt/protectors/@{hex16} r, + + /home/ r, + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, + owner @{HOME}/.pam_environment r, + owner @{user_cache_dirs}/ w, + @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, @@ -104,14 +116,17 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, + @{run}/fscrypt/ rw, + @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index a48958b40..2cdae783d 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 8e6d80f9e..5e013012e 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -8,13 +8,13 @@ # - Direct access should only be needed is some special context and it should not # require access to that much resources. -abi , +abi , include @{exec_path} = @{bin}/gio @{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop -@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop +@{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include @@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include + include + include @{exec_path} mr, @@ -31,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, @@ -41,7 +45,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index e51ed5b8d..20d5e48d5 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -7,13 +7,14 @@ # confined under this profile. The resulting profile is quite broad. # This architecture needs to be rethinked. -abi , +abi , include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -35,9 +36,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Shell.Notifications #aa:dbus own bus=session name=org.gnome.Shell.Screencast - dbus send bus=session path=/org/gnome/Mutter/ScreenCast - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties @@ -62,7 +61,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, /tmp/ r, /var/tmp/ r, @@ -88,7 +86,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, - /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gkbd-keyboard-display b/apparmor.d/groups/gnome/gkbd-keyboard-display index 7b9fc07cd..18b11e9be 100644 --- a/apparmor.d/groups/gnome/gkbd-keyboard-display +++ b/apparmor.d/groups/gnome/gkbd-keyboard-display @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes new file mode 100644 index 000000000..f44f42e63 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-boxes +profile gnome-boxes @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open, + + @{bin}/virtqemud rPUx, + @{bin}/virsh rCx -> virsh, + + /usr/share/osinfo/{,**} r, + /usr/share/gnome-boxes/{,**} r, + + /etc/qemu/bridge.conf r, + + @{MOUNTS}/ r, + owner @{HOME}/ r, + + # For disk images + owner @{user_img_dirs}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-boxes/ rw, + owner @{user_cache_dirs}/gnome-boxes/** rwk, + owner @{user_cache_dirs}/libvirt/qemu/log/*.log r, + + owner @{user_config_dirs}/gnome-boxes/ rw, + owner @{user_config_dirs}/gnome-boxes/** rwk, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/*.iso-@{rand6} rw, + owner @{tmp}/*.svg-@{rand6} rw, + + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{run}/mount/utab r, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + profile virsh { + include + include + + @{bin}/virsh mr, + @{bin}/pkttyagent r, + + owner @{run}/user/@{uid}/libvirt/ r, + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{sys}/devices/system/node/ r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 09ac8dbad..d31811152 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2ac0e4ca7..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,6 +21,8 @@ profile gnome-calculator @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index a0a5f7e6f..2eaacdefb 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c74292f4b..741be7709 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -2,16 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include - include include - include include include include @@ -40,10 +38,13 @@ profile gnome-calendar @{exec_path} { peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, + @{open_path} rPx -> child-open-help, /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, + owner @{tmp}/pid-@{pid}/*.ics r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 1d3285292..9ae8a7b8a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,8 +23,8 @@ profile gnome-characters @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/org.gnome.Characters/{,**} r, + /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 6e975a7dd..4b70cdfa6 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fbb3942f7..fd6ded04f 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,15 +10,19 @@ include profile gnome-clocks @{exec_path} { include include - include include - include + include + include include + include include + network netlink raw, + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fc96424a9..b6474cf55 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -2,15 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include - include - include include include include @@ -26,6 +24,7 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, + @{open_path} rPx -> child-open-help, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index a0a74f62e..0abc39acd 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 7643844c5..20aa66cfb 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -72,13 +72,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, - @{open_path} rPx -> child-open-browsers, + @{open_path} rPx -> child-open-any, /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, - /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, @@ -104,6 +103,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, + / r, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/.face r, @@ -125,6 +126,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{tmp}/@{hex12}@{h} rw, + owner @{tmp}/@{rand8} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/samba/ rw, @@ -153,17 +156,20 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, + @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, @@ -175,7 +181,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile bwrap { + profile bwrap flags=(attach_disconnected) { include include @@ -186,9 +192,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile pkexec { include - - @{bin}/pkexec mr, - + include include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 72f5867a4..4695c87d4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{exec_path} mr, - @{bin}/bwrap rPUx, + @{bin}/bwrap rCx -> bwrap, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @@ -48,9 +48,11 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl, - owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, + owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk, owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -63,6 +65,15 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + profile bwrap flags=(attach_disconnected,complain) { + include + include + + @{bin}/bwrap mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 22784f1d5..59679deb8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile gnome-control-center-print-renderer @{exec_path} { / r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index b584a8c1a..3dfd1bf03 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,7 @@ profile gnome-control-center-search-provider @{exec_path} { include include - dbus bind bus=session name=org.gnome.Settings.SearchProvider, - dbus receive bus=session path=/org/gnome/Settings/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index bb1f5012a..436d82443 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index fe743f186..379a887b3 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 575668029..4d5301262 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 1cef7f074..7c9a80777 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3083c73f9..4c4b00c5d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -62,8 +62,6 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/shm/ r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index d3ed3794b..3b23d4ffc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,6 +32,7 @@ profile gnome-extension-manager @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index ffa771be4..f1e229b59 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,9 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Extensions* r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 307fc06e3..af44afbec 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile gnome-firmware @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer new file mode 100644 index 000000000..0895bd7f0 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-font-viewer @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-font-viewer +profile gnome-font-viewer @{exec_path} { + include + include + + @{exec_path} mr, + @{open_path} rPx -> child-open-help, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index c3904d836..d27ccb8bb 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 5d945b641..d0b84c1be 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index ab0a6144f..5e3ab03bd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile gnome-logs @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 36f93215f..294d6229a 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,8 @@ profile gnome-maps @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + audit @{bin}/gjs-console rix, owner @{user_pictures_dirs}/** rw, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index be07256ae..82be211fc 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,6 +28,9 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/ r, @{bin}/env r, @{bin}/python3.@{int} rix, @@ -45,9 +48,10 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 410953e49..0182e9dad 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index c2e11a805..900259447 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile gnome-recipes @{exec_path} { @{exec_path} mr, @{bin}/tar rix, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 46d21977c..19e448b1b 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e349d85c1..597a47c12 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,8 @@ profile gnome-session @{exec_path} { @{shells_path} rix, @{bin}/cat rix, - @{bin}/gettext.sh r, @{bin}/gettext rix, + @{bin}/gettext.sh r, @{bin}/grep rix, @{bin}/head rix, @{bin}/id rix, @@ -28,6 +28,7 @@ profile gnome-session @{exec_path} { @{bin}/readlink rix, @{bin}/realpath rix, @{bin}/sed rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 962897ea8..42c1265ae 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,17 +32,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} peer=(name=org.freedesktop.DBus label=dbus-session), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CanPowerOff,PowerOff,Reboot} - peer=(name=:*, label=systemd-logind), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @@ -53,14 +48,11 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/tput rix, @{bin}/session-migration rPx, + @{lib}/gnome-session-check-* rPx, + @{lib}/gnome-session-failed rix, - @{lib}/gnome-session-check-accelerated rix, - @{lib}/gnome-session-check-accelerated-gl-helper rix, - @{lib}/gnome-session-check-accelerated-gles-helper rix, - @{lib}/gnome-session-failed rix, - - @{lib}/gio-launch-desktop rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -84,9 +76,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority rw, @@ -96,9 +89,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/{vendor,device} r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, @@ -108,11 +102,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include + include include @{bin}/env rix, @{sh_path} r, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, @{lib}/** PUx, @@ -123,7 +118,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/games/** PUx, /dev/tty rw, - /dev/tty@{int} rw, include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 220a9cac3..04c4ce628 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0e68c90a9..227edc404 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,9 +34,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include - include - include include include include @@ -76,8 +73,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Mutter #aa:dbus own bus=session name=org.gnome.Shell - #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity + #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension + #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications @@ -93,6 +91,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" # System bus @@ -135,15 +134,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Embed peer=(name=org.a11y.atspi.Registry), - dbus send bus=session path=/org/gtk/vfs/** - interface=org.gtk.vfs.* - peer=(name=:*, label=gvfsd*), - - dbus send bus=session path=/org/ayatana/NotificationItem/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=update-notifier), - dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved @@ -173,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label=dbus-session), + dbus send bus=session path=/org/gnome/*/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=@{busname}), + @{exec_path} mr, @{bin}/unzip rix, @@ -181,26 +175,24 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/Xwayland rPx, + @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper - @{sh_path} rCx -> shell, - @{lib}/gio-launch-desktop rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{sh_path} rCx -> shell, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, - /usr/share/{,zoneinfo-}icu/{,**} r, /usr/share/**.{png,jpg,svg} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, /usr/share/dconf/profile/gdm r, - /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, @@ -215,8 +207,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/xml/iso-codes/{,**} r, @{system_share_dirs}/gnome-shell/{,**} r, - / r, - /.flatpak-info r, /etc/fstab r, /etc/timezone r, /etc/tpm2-tss/*.json r, @@ -228,6 +218,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, + owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, @@ -292,19 +285,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, @@ -356,10 +351,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/stat r, - @{PROC}/@{pids}/cmdline r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @@ -369,12 +362,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/input/event@{int} rw, - /dev/media@{int} rw, - /dev/tty@{int} rw, + /dev/media@{int} rw, + /dev/tty@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, profile shell flags=(attach_disconnected,mediate_deleted) { include @@ -401,11 +397,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile open flags=(attach_disconnected,mediate_deleted,complain) { include + include network inet stream, network unix stream, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, @{lib}/** PUx, @@ -415,6 +412,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/games/** PUx, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index cc56eff59..357104e57 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,7 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/{,zoneinfo-}icu/{,**} r, /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index f0e9bf398..51d5b43cf 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-shell-overrides-migration b/apparmor.d/groups/gnome/gnome-shell-overrides-migration index d041df4de..8d5cc4d1d 100644 --- a/apparmor.d/groups/gnome/gnome-shell-overrides-migration +++ b/apparmor.d/groups/gnome/gnome-shell-overrides-migration @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index b1a0bd8ac..f462894bc 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -64,8 +64,7 @@ profile gnome-software @{exec_path} { /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, - /var/lib/swcatalog/icons/**.png r, - /var/lib/swcatalog/yaml/ r, + /var/lib/swcatalog/** r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, @@ -75,14 +74,23 @@ profile gnome-software @{exec_path} { owner @{HOME}/.var/app/{,**} rw, + owner @{user_download_dirs}/*.flatpakref r, + owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_cache_dirs}/gnome-software/ rw, + owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/.changed w, + owner @{user_share_dirs}/flatpak/{app,runtime}/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, + owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, @@ -103,19 +111,26 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, @{sys}/module/nvidia/version r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, - + + deny owner @{user_share_dirs}/gvfs-metadata/* r, + profile gpg { include @@ -123,14 +138,26 @@ profile gnome-software @{exec_path} { @{bin}/gpgconf mr, @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{run}/user/@{uid}/gnupg/ w, - + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 126140401..92cbd369e 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,6 +38,10 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + / r, + + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @@ -74,14 +78,15 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, profile pkexec { include - - @{bin}/pkexec mr, + include include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index db128da15..d96c20c36 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,8 +48,6 @@ profile gnome-terminal-server @{exec_path} { @{open_path} rPx -> child-open, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/shells r, owner @{user_config_dirs}/*xdg-terminals.list* rw, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 80ff8310d..22823753b 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,8 +15,12 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index fc6605232..8ae95f4a0 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile gnome-tour @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 84f37da76..d104e75c6 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -2,23 +2,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-tweaks -profile gnome-tweaks @{exec_path} { +profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include include include + network netlink raw, + @{exec_path} mr, @{bin}/ r, + @{bin}/env r, @{bin}/ps rPx, @{bin}/python3.@{int} rix, @@ -26,8 +27,6 @@ profile gnome-tweaks @{exec_path} { @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, - /usr/share/gnome-tweaks/{,**} r, - /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -42,7 +41,12 @@ profile gnome-tweaks @{exec_path} { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/bus/ r, + @{sys}/class/input/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-user-share-webdav b/apparmor.d/groups/gnome/gnome-user-share-webdav new file mode 100644 index 000000000..d54d7476a --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-user-share-webdav @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-user-share-webdav +profile gnome-user-share-webdav @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.gnome.user-share.webdav + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index b2851601c..c73ff0a19 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,6 +23,7 @@ profile gnome-weather @{exec_path} { @{exec_path} mr, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/org.gnome.Weather/{,**} r, @@ -33,6 +34,8 @@ profile gnome-weather @{exec_path} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 968bf154a..8176d6c7c 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index cf62b5f50..3992811c2 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index f9d3804c7..cfbaa6269 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,8 +32,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 8d77f6cb2..6ff47dcd1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -49,8 +50,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index d25b4cdcc..984f7c189 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -2,18 +2,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include include include + include - signal (receive) set=(term, hup) peer=gdm*, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Datetime @@ -34,9 +42,13 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/geocode-glib/* r, - owner @{PROC}/@{pid}/stat r, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, - owner /dev/tty@{int} rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index d1e65865f..55e6b3736 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 7194b7a2b..288c29af8 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,8 +47,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index d621a43ae..87560b6f9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -39,8 +40,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9a799d444..3c2ef3dac 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,38 +32,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff peer=(name=:*, label=systemd-logind), - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member={GrabAccelerators,UngrabAccelerators} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member=AcceleratorActivated - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-rfkill), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-rfkill), - dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames @@ -96,7 +73,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -110,8 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 2c21bc4fd..97b31d6c5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -20,7 +21,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -37,10 +37,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight @@ -64,7 +61,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+leds:* r, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @@ -87,8 +84,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index b684c0c7c..2c8319bd8 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -38,8 +39,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9db9abb09..9e67c8c72 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -29,8 +30,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 456361e88..1fd4157ec 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - owner /dev/tty@{int} rw, - /dev/rfkill rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index e0d3dc1b0..1ac54d0fe 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include include include @@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 4ba613fb7..871e10abc 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -41,9 +42,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{PROC}/@{pid}/cgroup r, - - owner /dev/tty@{int} rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 0f04ae120..f93f0313b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ea063aeda..8c5e7891a 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 4db37cb0a..2359c9f39 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 9b6e13fdb..f9c4ffb33 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -32,8 +33,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 9c8852055..ab2b2b089 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4b489c259..51bcf2e10 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index e756831f2..c9177de5c 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,11 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell + @{bin}/btop rPUx, @{bin}/htop rPx, @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/nvtop rPx, @{bin}/vim rUx, @{open_path} rPx -> child-open-help, @@ -39,6 +41,7 @@ profile kgx @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6d53ebf44..fb7bef34a 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,6 +19,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=loupe//bwrap, + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, @@ -38,6 +40,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 0a208c6ad..8a48b97a2 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include + include include include include include include + include include include include @@ -33,8 +35,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 66f9af691..e4990a3e3 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,23 +26,14 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include - # mqueue r type=posix /, + mqueue r type=posix /, #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member={GetAll,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.gtk.Notifications - member=AddNotification - peer=(name=org.gtk.Notifications, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine @@ -70,7 +61,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, @@ -90,9 +80,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rw, - owner @{HOME}/{,**} rw, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, # Silence non user's data deny /boot/{,**} r, @@ -115,6 +108,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index ee2de80ce..2d06a9ab3 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,17 +39,22 @@ profile org.gnome.NautilusPreviewer @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/devices r, @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/media@{int} r, + /dev/nvidia-uvm rw, include if exists } diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index ba23af8a4..921f6aa30 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,10 +21,7 @@ profile seahorse @{exec_path} { include include - dbus bind bus=session name=org.gnome.seahorse.Application, - dbus receive bus=session path=/org/gnome/seahorse/Application - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*), + #aa:dbus own bus=session name=org.gnome.seahorse.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 41c9b28af..d519dca6e 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 858d216ac..a8dc13b19 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/*.desktop r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index b037db499..e10d81bb2 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, @@ -47,7 +46,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, @@ -65,7 +63,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, + owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, # Allow to search user files @@ -85,8 +85,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, /dev/video@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback index 426b1be60..a5346b463 100644 --- a/apparmor.d/groups/gnome/tracker-writeback +++ b/apparmor.d/groups/gnome/tracker-writeback @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal new file mode 100644 index 000000000..20ed6bdce --- /dev/null +++ b/apparmor.d/groups/gnome/tracker-xdg-portal @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/tracker-xdg-portal-3 +profile tracker-xdg-portal @{exec_path} flags=(complain) { + include + include + include + + #aa:dbus own bus=session name=org.freedesktop.portal.Tracker + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 4da1fe736..aa459250b 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -2,18 +2,22 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help profile yelp @{exec_path} { include + include include network netlink raw, + #aa:dbus own bus=session name=org.gnome.Yelp + @{exec_path} mr, + @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -24,11 +28,13 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - - owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, - + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r, + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index a0c131bcd..167e8757c 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b549f1477..247c6e4ac 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,8 +28,27 @@ profile gpg @{exec_path} { @{bin}/gpgsm rPx, @{lib}/{,gnupg/}scdaemon rPx, + /usr/share/terminfo/** r, + /etc/inputrc r, + #aa:only pacman + /etc/pacman.d/gnupg/gpg.conf r, + /etc/pacman.d/gnupg/pubring.gpg r, + /etc/pacman.d/gnupg/trustdb.gpg r, + + #aa:only apt + owner /etc/apt/keyrings/ rw, + owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, + + owner /var/lib/*/{,.}gnupg/ rw, + owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**, + + # TODO: Remove after zypper profile is created + #aa:only zypper + owner /var/tmp/zypp.@{rand6}/ rw, + owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -39,25 +58,9 @@ profile gpg @{exec_path} { owner @{user_projects_dirs}/**/gnupg/ rw, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, - #aa:only apt - owner /etc/apt/keyrings/ rw, - owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, - - #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, - - owner /var/lib/*/gnupg/ rw, - owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, - - owner /var/lib/*/.gnupg/ rw, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, - - # TODO: Remove after zypper profile is created - #aa:only zypper - owner /var/tmp/zypp.@{rand6}/ rw, - owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, + # TODO: For compatibility with torbrowser profile from upstream. + owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, #aa:exclude ubuntu owner @{tmp}/ostree-gpg-@{rand6}/ r, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index f7580a8aa..75bb7583f 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,57 +24,60 @@ profile gpg-agent @{exec_path} { /usr/share/gnupg/* r, owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, - owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{HOME}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, + owner @{run}/user/@{uid}/gnupg/*.conf r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, - owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, + owner @{tmp}/**/{.,}gnupg/ rw, + owner @{tmp}/**/{.,}gnupg/*.conf r, + owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{tmp}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{tmp}/**/{.,}gnupg/sshcontrol r, #aa:only pacman owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/*.conf r, owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /etc/pacman.d/gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, #aa:only zypper diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ae8f90ed5..d6c88c4fd 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,14 +18,15 @@ profile gpg-connect-agent @{exec_path} { /etc/inputrc r, - owner @{PROC}/@{pid}/fd/ r, - + owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index 9537c60c6..61c6cf8de 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 5bfa3fdf4..364c05f73 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index bf77509fd..cb0046fd6 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index eeb1a618e..e88f34d4b 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,11 +19,16 @@ profile scdaemon @{exec_path} { @{exec_path} mr, + #aa:only pacman + owner /etc/pacman.d/gnupg/scdaemon.conf r, + owner /etc/pacman.d/gnupg/S.scdaemon rw, + owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, + owner @{HOME}/@{XDG_GPG_DIR}common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner /var/tmp/zypp.*/PublicKey/S.scdaemon w, owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 44602a4ee..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1ab754daf..1a1110091 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 414f12909..6bdc7362a 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file index 0c43d739d..6551bd553 100644 --- a/apparmor.d/groups/grub/grub-file +++ b/apparmor.d/groups/grub/grub-file @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest index c8f4d48a8..3819fe890 100644 --- a/apparmor.d/groups/grub/grub-fstest +++ b/apparmor.d/groups/grub/grub-fstest @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi index 0c2d91173..f72664388 100644 --- a/apparmor.d/groups/grub/grub-glue-efi +++ b/apparmor.d/groups/grub/grub-glue-efi @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 7902bf02d..83e30cbf6 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp index 7c49e93ec..0334bf2f5 100644 --- a/apparmor.d/groups/grub/grub-kbdcomp +++ b/apparmor.d/groups/grub/grub-kbdcomp @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index 8f73e3807..c2571ea73 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg index 826de1e1d..cd2d0121d 100644 --- a/apparmor.d/groups/grub/grub-menulst2cfg +++ b/apparmor.d/groups/grub/grub-menulst2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index cd9c825f6..2a60d69c5 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 0af9aab2d..533f9780b 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont index 52d719b38..a1e4b1eff 100644 --- a/apparmor.d/groups/grub/grub-mkfont +++ b/apparmor.d/groups/grub/grub-mkfont @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage index ac5fef3b4..54f8dcc80 100644 --- a/apparmor.d/groups/grub/grub-mkimage +++ b/apparmor.d/groups/grub/grub-mkimage @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout index 616627f35..11263914b 100644 --- a/apparmor.d/groups/grub/grub-mklayout +++ b/apparmor.d/groups/grub/grub-mklayout @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir index 9bb011422..10aaa77d4 100644 --- a/apparmor.d/groups/grub/grub-mknetdir +++ b/apparmor.d/groups/grub/grub-mknetdir @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 index 58b7da49b..45cefcedf 100644 --- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 +++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 22e0b754a..a60a6aaba 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue index 4eee01abf..dfd9ce031 100644 --- a/apparmor.d/groups/grub/grub-mkrescue +++ b/apparmor.d/groups/grub/grub-mkrescue @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone index c891fd4bf..8cce05fb9 100644 --- a/apparmor.d/groups/grub/grub-mkstandalone +++ b/apparmor.d/groups/grub/grub-mkstandalone @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index a21f427e8..e660069bd 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 9cc94f9c1..94c4c7e2b 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,6 @@ profile grub-multi-install @{exec_path} { /boot/grub/grub.cfg rw, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, /dev/disk/by-id/ r, diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img index 885384b6d..676b16f1b 100644 --- a/apparmor.d/groups/grub/grub-ntldr-img +++ b/apparmor.d/groups/grub/grub-ntldr-img @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index d0ef6b78b..80d517deb 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 236a46241..7d94a22af 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label index 005823ffa..5d7c4cfe0 100644 --- a/apparmor.d/groups/grub/grub-render-label +++ b/apparmor.d/groups/grub/grub-render-label @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 9cb595834..93b344cf8 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 729ff11d9..11c78024b 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 7f830dc33..5e65fe835 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,8 @@ include profile grub-sort-version @{exec_path} { include include + include + include include capability dac_read_search, diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg index 581ab262b..584e33268 100644 --- a/apparmor.d/groups/grub/grub-syslinux2cfg +++ b/apparmor.d/groups/grub/grub-syslinux2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index e74f72349..03df05295 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 0b35916b0..a681f2626 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 66681c8af..1e65e2183 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 5b21c3a6b..a8d7ffb35 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index dfdf41113..d71b71523 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 8c8a1c069..ccbe15fd1 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 710abbba1..c5c4dc3c1 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,8 @@ profile gvfsd @{exec_path} { include include + signal receive set=usr1 peer=pacman, + #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 34e4cdfd6..7a1584d48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 6054f50b8..68d4b689e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index 1ea7c14b8..eeaaec059 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 8baf49101..48680f12f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 4c860fe45..918841320 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 4063141d4..b70fa7110 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index dc69cea53..0648f5dc0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index b1479d780..e756c8440 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index bb86dd7db..77e1a2f6f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index b07cd070b..2f3b8d8f2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,6 +16,7 @@ profile gvfsd-dnssd @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 47b58d639..5b7c833a5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 9cd6b77ca..375040ec3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,8 @@ profile gvfsd-fuse @{exec_path} { include include + capability sys_admin, + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index b6aa722e7..eb80f3a7a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 731bdd204..688f03c27 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index a2d02063c..2fe0a1e2b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index da0a21386..5ffbabb40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 6237715a8..902bbf40e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d8ea92d1f..3c747b8b3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 8fc843290..87851fc16 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 0a2ab4d1c..575d9de39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ab2ea4677..38819e872 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,7 +36,7 @@ profile gvfsd-recent @{exec_path} { @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 05c8a2bbf..cabee57c2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 4eb770986..24891e9c3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 3882e6f1c..f285a3c15 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index d65edb691..683d271a8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index b2ff47c91..f971b5f6a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/hyprland/hyprctl b/apparmor.d/groups/hyprland/hyprctl index f7d41d484..96440098e 100644 --- a/apparmor.d/groups/hyprland/hyprctl +++ b/apparmor.d/groups/hyprland/hyprctl @@ -2,7 +2,7 @@ # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland new file mode 100644 index 000000000..9c6107f6f --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprland @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/Hyprland +profile hyprland @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability sys_ptrace, + + network netlink raw, + + signal send, + + ptrace read, + + @{exec_path} mr, + + /usr/share/hyprland/{,*} r, + /usr/share/libinput/{,*} r, + + owner @{user_cache_dirs}/hyprland/{,**} rw, + owner @{user_config_dirs}/hypr/** r, + owner @{user_share_dirs}/hyprpm/** mr, + + owner @{run}/user/@{uid}/gamescope-* rw, + owner @{run}/user/@{uid}/.hyprpaper_* rw, + owner @{run}/user/@{uid}/.hyprpicker_* rw, + owner @{run}/user/@{uid}/hypr/{,**} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{run}/systemd/sessions/@{int} r, + + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+dmi:id r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + + @{sys}/bus/ r, + @{sys}/class/input/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/**/uevent r, + + owner @{PROC}/@{pid}/environ r, + + /dev/input/event@{int} rw, + /dev/tty r, + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index 86cc79570..b17c0c66a 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -2,7 +2,7 @@ # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile hyprlock @{exec_path} { include include include + include network netlink raw, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 1005ee8f1..3cb8dca92 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -2,7 +2,7 @@ # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 77edc07dc..38eccd297 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -2,7 +2,7 @@ # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 5f5ce4c66..3a5878808 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -2,7 +2,7 @@ # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index db870bd82..197f90f88 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,6 @@ profile DiscoverNotifier @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, @@ -40,11 +39,11 @@ profile DiscoverNotifier @{exec_path} { /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, + /var/cache/swcatalog/xml/{,**} r, owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/@{int} rw, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 3b5efe387..5a4f480a1 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,25 +25,51 @@ profile baloo @{exec_path} { @{lib}/{,kf6/}baloo_file_extractor rix, /usr/share/poppler/{,**} r, - /usr/share/desktop-base/kf5-settings/baloofilerc r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/baloofilerc r, # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner @{tmp}/*/{,**} r, + owner @{user_cache_dirs}/kcrash-metadata/ w, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, owner @{user_share_dirs}/baloo/{,**} rwk, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:* r, # For motherboard info + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 1b5d79492..e3fca1f8f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include include include include @@ -18,11 +19,10 @@ profile baloorunner @{exec_path} { @{bin}/* rPx, - /etc/xdg/baloofilerc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/baloofilerc r, + # Allow to search user files + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_share_dirs}/baloo/{,**} rwk, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 89e5685d9..8465da560 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,6 +16,7 @@ profile dolphin @{exec_path} { include include include + include include include include @@ -28,13 +29,17 @@ profile dolphin @{exec_path} { @{exec_path} mr, @{bin}/ldd rix, + @{bin}/lsb_release rPx -> lsb_release, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, + #aa:exec kioworker /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/misc/termcap r, /etc/fstab r, /etc/machine-id r, @@ -82,9 +87,12 @@ profile dolphin @{exec_path} { owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + + @{run}/issue r, @{run}/mount/utab r, - owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 602b087bb..961c18cfe 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi profile drkonqi @{exec_path} { include + include include network inet stream, @@ -22,11 +23,16 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - /usr/share/drkonqi/{,**} r, - /usr/share/knotifications{5,6}/*.notifyrc r, + @{bin}/lsb_release rPx -> lsb_release, + /usr/share/drkonqi/{,**} r, + + owner @{user_cache_dirs}/drkonqi/ rw, + owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/drkonqirc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index fe2fd0566..c74276b95 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index f014b671b..e07a6c1d4 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index c1a63931e..d9879941b 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index fb6a01c8a..42c1400ef 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kaccess profile kaccess @{exec_path} { include + include include include include @@ -19,7 +20,7 @@ profile kaccess @{exec_path} { /usr/share/icons/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, + /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index b51d72a91..fdc0730c4 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,17 +29,12 @@ profile kactivitymanagerd @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/libreoffice/**.xcu r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index daf880cf9..661090bc1 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include + include include include include @@ -20,12 +20,9 @@ profile kalendarac @{exec_path} { /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/knotifications{5,6}/{,**} r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 9b42d9a10..61308e83b 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 29dfe216b..44a6d0239 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 98e6614b8..f03dfb007 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst index 3a9c21b7b..d05975eac 100644 --- a/apparmor.d/groups/kde/kauth-fontinst +++ b/apparmor.d/groups/kde/kauth-fontinst @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index fa1345d74..6483fe39f 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index a172c3404..5ae1f5f12 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca similarity index 57% rename from apparmor.d/groups/kde/kbuildsycoca5 rename to apparmor.d/groups/kde/kbuildsycoca index 8d9fa0bca..db3aed9dc 100644 --- a/apparmor.d/groups/kde/kbuildsycoca5 +++ b/apparmor.d/groups/kde/kbuildsycoca @@ -3,24 +3,21 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kbuildsycoca5 -profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/kbuildsycoca{,5} +profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} mr, - owner @{user_cache_dirs}/ksycoca{5,6}_* rw, - owner link @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int}, - /dev/tty r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 95fdd6e63..93378bf76 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index bcab6d31b..e152325ed 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile kconf_update @{exec_path} { include include include + include include include include @@ -43,49 +44,15 @@ profile kconf_update @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{HOME}/.gtkrc-@{version} w, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/akregatorrc.lock rwk, - owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/dolphinrc.lock rwk, - owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, - owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, - owner @{user_config_dirs}/kateschemarc.lock rwk, - owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kcminputrc.lock rwk, - owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kmixrc.lock rwk, - owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/konsolerc.lock rwk, - owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/krunnerrc.lock rwk, - owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/krunnerstaterc.lock rwk, - owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kscreenlockerrc.lock rwk, - owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwinrulesrc.lock rwk, - owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc.lock rwk, - owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw, - owner @{user_config_dirs}/plasmashellrc r, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, + owner @{user_config_dirs}/kcmfonts.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 960747c21..d37b53ddd 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include + include include include include @@ -29,13 +30,12 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{bin}/xargs rix, @{lib}/drkonqi rPx, - /usr/share/knotifications{5,6}/*.notifyrc r, - /etc/fstab r, /etc/machine-id r, owner @{HOME}/ r, + owner @{user_cache_dirs}/ddcutil/* r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, @@ -45,7 +45,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** owner @{run}/user/@{uid}kcrash_@{int} rw, @@ -56,14 +56,16 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, @{sys}/devices/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, @{sys}/devices/platform/**/i2c-@{int}/**/name r, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index a913dba60..efec3a8a6 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -2,20 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kde-systemd-start-condition profile kde-systemd-start-condition @{exec_path} { include + include @{exec_path} mr, - /etc/xdg/baloofilerc r, - /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r, - - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/kalendaracrc r, owner @{user_config_dirs}/kgpgrc r, owner @{user_config_dirs}/kmixrc r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e0cc7f5b3..0ff08d02f 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,12 +12,13 @@ profile kded @{exec_path} { include include include + include include include - include - include + include include include + include include include include @@ -31,7 +32,8 @@ profile kded @{exec_path} { ptrace (read), - signal (send) set=hup peer=xsettingsd, + signal send set=hup peer=xsettingsd, + signal send set=term peer=kioworker, #aa:dbus own bus=system name=com.redhat.NewPrinterNotification #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager @@ -54,12 +56,13 @@ profile kded @{exec_path} { @{bin}/plasma-welcome rPUx, @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, + @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, - #aa:exec utempter + @{lib}/{,@{multiarch}/}utempter/utempter rPx, #aa:exec kconf_update /usr/share/color-schemes/{,**} r, @@ -67,13 +70,11 @@ profile kded @{exec_path} { /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, - /etc/xdg/kcminputrc r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, @@ -83,63 +84,43 @@ profile kded @{exec_path} { / r, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, - owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, - owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kconf_updaterc rw, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kdebugrc r, - owner @{user_config_dirs}/kded{5,6}rc.lock rwk, - owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/ktimezonedrc.lock rwk, - owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/networkmanagement.notifyrc r, - owner @{user_config_dirs}/plasma-nm r, - owner @{user_config_dirs}/plasma-welcomerc r, - owner @{user_config_dirs}/touchpadrc r, + owner @{user_config_dirs}/plasma* r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, + owner @{user_share_dirs}/user-places.xbel r, + + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @@ -151,6 +132,8 @@ profile kded @{exec_path} { owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, + @{sys}/class/leds/ r, + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 1995838c1..9da19046d 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,7 @@ profile kglobalacceld @{exec_path} { /etc/machine-id r, /etc/xdg/menus/ r, - - owner @{user_cache_dirs}/ksycoca{5,6}_* rw, + /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, @@ -29,6 +28,8 @@ profile kglobalacceld @{exec_path} { owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, + @{PROC}/sys/kernel/random/boot_id r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner index fa3f494c7..dc1b28dcc 100644 --- a/apparmor.d/groups/kde/kio_http_cache_cleaner +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 7462d6c5b..f6a7ba95a 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile kiod @{exec_path} { include include include + include network netlink raw, @@ -21,8 +22,6 @@ profile kiod @{exec_path} { /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 6dd771859..37dd3eeae 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -72,9 +72,7 @@ profile kioworker @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int}, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/* rwl, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/kio_httprc r, owner @{user_config_dirs}/menus/{,**} r, @@ -91,6 +89,7 @@ profile kioworker @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 054731148..17ed13f27 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,12 +26,19 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/@{shells} rUx, @{browsers_path} rPx, - #aa:exec utempter + @{lib}/libheif/ r, + @{lib}/libheif/** mr, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, + + # Some CLI program can be launched directly from KDE + @{bin}/btop rPUx, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, + @{bin}/vim rUx, /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, - /usr/share/knotifications{5,6}/konsole.notifyrc r, - /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/konsole/{,**} r, /usr/share/sounds/** r, @@ -42,23 +49,28 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kbookmarkrc r, + owner @{user_config_dirs}/konsole.notifyrc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/session/** rwlk, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/konsolestaterc rw, + owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/konsolestaterc.lock rwk, + owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index fc14b9536..8ad9c4b5b 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kreadconfig5 +@{exec_path} = @{bin}/kreadconfig{,5} profile kreadconfig @{exec_path} { include + include capability dac_read_search, @@ -16,14 +17,8 @@ profile kreadconfig @{exec_path} { @{exec_path} mr, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, - include if exists } diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 94890bacc..5e09b0cbe 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kscreen_osd_service b/apparmor.d/groups/kde/kscreen_osd_service index cafd59a67..8bff3306f 100644 --- a/apparmor.d/groups/kde/kscreen_osd_service +++ b/apparmor.d/groups/kde/kscreen_osd_service @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 1884414a9..79e2b4c59 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -70,10 +70,11 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk, - owner @{user_cache_dirs}/ksvg-elements r, + owner @{user_cache_dirs}/ksvg-elements rw, + owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, @@ -83,8 +84,10 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/kscreenlockerrc.lock rwk, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/plasmashellrc r, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index b7e1858da..61cd67246 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,11 +16,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - signal (send) set=(usr1,term) peer=kscreenlocker-greet, + signal send set=(usr1,term) peer=kscreenlocker_greet, ptrace (read) peer=kbuildsycoca5, - unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), + unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none), @{exec_path} mr, @@ -31,10 +31,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:exec drkonqi #aa:exec kscreenlocker_greet - @{user_bin_dirs}/** rPUx, - /usr/share/color-schemes/{,**} r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, @@ -46,25 +43,30 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/iceauth_@{rand6}-c w, + owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c, + owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw, + owner @{tmp}/@{rand6} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 44d7f6e2a..01fe51783 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 463aec245..be59fe842 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,8 @@ profile ksplashqml @{exec_path} { /usr/share/plasma/** r, /etc/machine-id r, + /etc/xdg/plasmarc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksplash/ rw, owner @{user_cache_dirs}/ksplash/** rwlk -> @{user_cache_dirs}/ksplash/**, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 6aefc1d43..fa0f88f75 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 5005dde31..c4e25e9ff 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,8 +30,6 @@ profile kwalletd @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kwalletrc r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index b1ca562cc..dc64cbb9e 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,6 @@ profile kwalletmanager @{exec_path} { /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kwalletmanager5rc rw, owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int}, @@ -45,7 +44,6 @@ profile kwalletmanager @{exec_path} { @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/cmdline r, - /dev/shm/ r, /dev/shm/#@{int} rw, include if exists diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 7bed8beca..c02f3f87a 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,13 +29,12 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, + /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, - /usr/share/desktop-base/kf5-settings/{,**} r, /usr/share/desktop-directories/*.directory r, /usr/share/kglobalaccel/{,**} r, - /usr/share/knotifications{5,6}/ksmserver.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, /usr/share/kwin/{,**} r, @@ -49,6 +48,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/menus/{,applications.menu} r, /etc/xdg/menus/applications-merged/ r, /etc/xdg/plasmarc r, + /etc/xdg/Xwayland-session.d/{,*} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -71,11 +71,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/ksvg-elements r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -85,10 +81,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, @@ -103,13 +99,19 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, - @{run}/systemd/inhibit/*.ref rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{run}/udev/data/+acpi:* r, # for ACPI @{run}/udev/data/+dmi:* r, # for motherboard info @@ -127,10 +129,28 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + /dev/tty r, /dev/tty@{int} rw, + profile at-spi { + include + + @{sh_path} r, + @{bin}/busctl rix, + @{bin}/sed rix, + @{bin}/xprop rPx, + + /etc/xdg/Xwayland-session.d/00-at-spi r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index f28106373..1a7573d77 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index a52a22330..e05e443ff 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,8 +36,6 @@ profile kwin_x11 @{exec_path} { /etc/xdg/plasmarc r, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/{,**} rwl, @@ -50,7 +48,7 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kwinoutputconfig.json r, + owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index d732ee0f7..f7f168364 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,27 +11,45 @@ include profile okular @{exec_path} { include include + include include + include include include + include include include include + network netlink raw, + + signal send set=term peer=kioworker, + @{exec_path} mr, @{bin}/ps2pdf rPUx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgcon rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{open_path} rPx -> child-open, + #aa:exec kioworker /usr/share/color-schemes/{,**} r, /usr/share/okular/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, + + / r, + @{MOUNTS}/ r, + + owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, @@ -39,22 +57,48 @@ profile okular @{exec_path} { owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, + owner @{user_config_dirs}/okular-generator-popplerrc r, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, + owner @{user_share_dirs}/recently-used.xbel.lock rk, + owner @{user_share_dirs}/user-places.xbel r, - owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/okularstaterc rw, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, profile gpg { include + include @{bin}/gpg{,2} mr, @{bin}/gpgcon mr, @{bin}/gpgsm mr, + owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, + owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, diff --git a/apparmor.d/groups/kde/pam_kwallet_init b/apparmor.d/groups/kde/pam_kwallet_init index b84407863..764917a1f 100644 --- a/apparmor.d/groups/kde/pam_kwallet_init +++ b/apparmor.d/groups/kde/pam_kwallet_init @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 6270df2f7..dce3545f7 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,9 +28,6 @@ profile plasma-browser-integration-host @{exec_path} { /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 542110454..1247d0fdf 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,7 @@ profile plasma-discover @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/kreadconfig5 rPx, + @{bin}/kreadconfig{,5} rPx, @{bin}/gpg rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -38,7 +38,6 @@ profile plasma-discover @{exec_path} { #aa:exec kio_http_cache_cleaner #aa:exec kioworker - /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/knsrcfiles/{,*} r, /usr/share/kservices{5,6}/{,*} r, /usr/share/kservicetypes5/{,*} r, @@ -65,7 +64,6 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/discover/{,**} rwlk, owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/ w, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier index 3862706a9..ba00660fc 100644 --- a/apparmor.d/groups/kde/plasma-emojier +++ b/apparmor.d/groups/kde/plasma-emojier @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 6082b579e..1fbeda384 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,15 +33,11 @@ profile plasma_session @{exec_path} { #aa:exec polkit-kde-authentication-agent /usr/share/kservices{5,6}/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, /etc/xdg/menus/ r, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c987a4759..a509135af 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile plasma_waitforname @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9a21b9dff..0d8a5d8cb 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include - # userns, + userns, capability sys_ptrace, @@ -59,12 +59,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, - /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, /usr/share/kf{5,6}/{,**} r, /usr/share/kio/servicemenus/{,*.desktop} r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/konsole/ r, /usr/share/krunner/{,**} r, /usr/share/kservices{5,6}/{,**} r, @@ -77,6 +76,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, + /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, @@ -90,9 +90,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /var/lib/AccountsService/icons/* r, + @{MOUNTS}/ r, + @{HOME}/ r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{user_games_dirs}/**.{png,jpg,svg} r, + owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, @@ -103,12 +108,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/bookmarksrunner/ rw, owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -128,9 +131,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/akonadi/akonadi*rc r, owner @{user_config_dirs}/arkrc r, owner @{user_config_dirs}/baloofileinformationrc r, - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kcookiejarrc r, @@ -147,8 +148,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* rwlk, - owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, @@ -172,12 +173,18 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc rw, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, + owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -187,11 +194,17 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/**/{name,type} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1b52954d6..7f48fbec0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -113,7 +113,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/sddm/scripts/Xsetup rix, /usr/share/sddm/scripts/Xstop rix, - /usr/share/desktop-base/softwaves-theme/login/*.svg r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/faces/.*.icon r, /usr/share/sddm/themes/** r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f249d911e..f2c133cec 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile sddm-greeter @{exec_path} { include include include - include + include include include include @@ -28,13 +28,13 @@ profile sddm-greeter @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/desktop-base/*-theme/login/*.svg r, + /usr/share/endeavouros/backgrounds/** r, + /usr/share/hunspell/** r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/{,**} r, + /usr/share/wallpapers/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, - /usr/share/wallpapers/{,**} r, - /usr/share/hunspell/** r, /etc/fstab r, /etc/os-release r, @@ -49,8 +49,9 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, + @{HOME}/.face.icon r, + owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 3e566b458..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e575f3bb2..f10e80d7f 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,9 @@ include profile startplasma @{exec_path} { include include - include include + include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, @@ -22,6 +23,7 @@ profile startplasma @{exec_path} { @{bin}/env rix, @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, + @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @@ -31,14 +33,12 @@ profile startplasma @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, /etc/locale.alias r, /etc/machine-id r, - /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, @@ -49,13 +49,9 @@ profile startplasma @{exec_path} { owner @{user_cache_dirs}/kcrash-metadata/ rw, owner @{user_cache_dirs}/plasma-svgelements rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, @@ -66,6 +62,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, @@ -77,8 +74,7 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/maps r, + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index ffcf93783..e68d248b6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -2,14 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include + include + include include include include @@ -22,7 +25,9 @@ profile systemsettings @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/cat rix, + @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, @{bin}/lspci rPx, @{bin}/openssl rix, @@ -38,7 +43,7 @@ profile systemsettings @{exec_path} { /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, - /usr/share/kinfocenter/{,**} r, + /usr/share/solid/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, @@ -46,9 +51,9 @@ profile systemsettings @{exec_path} { /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, - /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, /usr/share/wallpapers/{,**} r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -56,35 +61,42 @@ profile systemsettings @{exec_path} { /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, + /etc/xdg/* r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/kinfocenter/{,**} rwl, + /var/cache/cracklib/cracklib_dict.* r, + /var/cache/samba/ rw, + /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/repo/{,**} r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, + owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_config_dirs}/{P,p}lasma* r, + owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kactivitymanagerdrc r, + owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, + owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, - owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/libaccounts-glib/ rw, + owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/baloo/index r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, @@ -98,12 +110,32 @@ profile systemsettings @{exec_path} { owner @{user_share_dirs}/systemsettings/** rwlk, owner @{user_share_dirs}/wallpapers/{,**} r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/systemsettingsstaterc rw, + owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, + owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{sys}/bus/ r, + @{sys}/bus/acpi/devices/ r, @{sys}/bus/cpu/devices/ r, @{sys}/class/ r, + @{sys}/firmware/acpi/pm_profile r, + @{PROC}/interrupts r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + /dev/ r, + /dev/bus/usb/ r, + /dev/input/ r, + /dev/rfkill r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter index 1ff12062f..309b9c444 100644 --- a/apparmor.d/groups/kde/utempter +++ b/apparmor.d/groups/kde/utempter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index b9e7cf4fc..124cf2fda 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index a4474a64a..969a82f6c 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile xembedsniproxy @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7e422a3d0..7cebbb43c 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 0f6aeb48a..889018a13 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index fad5908b4..8ac535f16 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n@{int} r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e5e9b0785..e20ea48b3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @@ -61,11 +62,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=:*, label=bluetoothd), - dbus send bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=org.freedesktop.DBus, label=firewalld), - dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded @@ -94,11 +90,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + /usr/share/netplan/netplan.script rPx, - /usr/share/netplan/netplan.script rPx, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, + /usr/share/iproute2/{,**} r, + + @{att}/ r, - / r, /etc/ r, /etc/iproute2/* r, /etc/machine-id r, @@ -118,11 +116,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, @@ -134,13 +133,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 79b7283eb..6d4ea3f7e 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 3ccafc80a..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index a80a4c37a..50827e77e 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile iwd @{exec_path} { network netlink dgram, network alg seqpacket, - @{exec_path} mr, + @{exec_path} mr, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index dcdb1738a..8dc29f568 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,14 +48,13 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/cache/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - + + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, - @{run}/NetworkManager/resolv.conf r, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 7533b107c..e1c55c7e1 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = Mullvad*VPN +@{name} = Mullvad?VPN @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, /dev/tty rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index c9cc3fff7..53297493e 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 361cf8d3b..de8f9ccb0 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper index f8d262a44..7d16292f2 100644 --- a/apparmor.d/groups/network/nm-daemon-helper +++ b/apparmor.d/groups/network/nm-daemon-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 434dce19f..5e93bdbf5 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 9e2904a54..40984f7fa 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -4,7 +4,7 @@ # TODO: rethink how the scripts should be managed -abi , +abi , include @@ -31,20 +31,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/chronyc rPUx, @{bin}/chown rix, + @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, @{bin}/invoke-rc.d rCx -> invoke-rc, + @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, + @{bin}/python3.@{int} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper index 36fa1ca30..c74379698 100644 --- a/apparmor.d/groups/network/nm-iface-helper +++ b/apparmor.d/groups/network/nm-iface-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator index 095347370..611587547 100644 --- a/apparmor.d/groups/network/nm-initrd-generator +++ b/apparmor.d/groups/network/nm-initrd-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 159b890d1..144fd84cb 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog index 854614345..87e3e4f40 100644 --- a/apparmor.d/groups/network/nm-openvpn-auth-dialog +++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index d65aa8f1a..675c14679 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper index 130067a76..b2f4ca0e3 100644 --- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper +++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-priv-helper b/apparmor.d/groups/network/nm-priv-helper index e07c9f685..13a283c52 100644 --- a/apparmor.d/groups/network/nm-priv-helper +++ b/apparmor.d/groups/network/nm-priv-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 2345d9d2c..a964ab958 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,9 +15,7 @@ profile nmcli @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6bf8c168b..532c65f78 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -18,7 +18,7 @@ # If a user wants to type user/pass interactively, systemd-ask-password is # invoked for that. -abi , +abi , include @@ -59,7 +59,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/openvpn/*.{pid,status} rw, - @{run}/systemd/journal/dev-log rw, + @{run}/systemd/journal/dev-log r, @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @@ -90,6 +90,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/ r, + include if exists } profile force-user-traffic-via-vpn { @@ -121,6 +122,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/sys/net/ipv{4,}/route/flush w, + include if exists } include if exists diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 049605f97..f9dcac8d1 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -2,7 +2,7 @@ # Copyright (C) 2023 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat new file mode 100644 index 000000000..25f975d25 --- /dev/null +++ b/apparmor.d/groups/network/socat @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Nishit Majithia (nishitm) +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/socat +profile socat @{exec_path} { + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability net_admin, + capability net_bind_service, + capability net_raw, + capability sys_admin, + capability sys_module, + capability sys_resource, + + # Allow creation of network sockets and `socat` uses dccp for some + # fuctionalities that is why it is necessary to allow whole `network` + network, + + @{exec_path} mr, + + @{PROC}/@{pid}/fdinfo/@{int} rw, + @{PROC}/@{pid}/stat r, + + /dev/net/tun rw, + /dev/vsock r, # For bi-directional communication between vms and host/hypervisor + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 5c3b62211..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,8 +27,6 @@ profile tailscale @{exec_path} { owner @{run}/tailscale/tailscaled.sock rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 121697da6..7bab28a22 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,29 +21,17 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability syslog, network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, network inet raw, + network inet stream, + network inet6 dgram, network inet6 raw, + network inet6 stream, network netlink raw, + network packet dgram, ptrace (read), - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={FlushCaches,SetLink*} - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @{exec_path} mr, @@ -69,7 +57,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{run}/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/ r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 783fa41fe..781a52f7a 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,18 @@ profile wg @{exec_path} { include capability net_admin, + capability net_bind_service, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, + /etc/wireguard/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index 1183a4a5b..c7ea6b1bd 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile wg-quick @{exec_path} { include + capability dac_read_search, capability net_admin, network netlink raw, @@ -21,7 +22,8 @@ profile wg-quick @{exec_path} { @{bin}/ip rPx, @{bin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvectl rPx, + @{bin}/resolvconf rPx, + @{bin}/resolvectl rPUx, @{bin}/sort rix, @{bin}/stat rix, @{bin}/sysctl rix, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7ef09601c..b8c622c6e 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,12 +28,12 @@ profile arch-audit @{exec_path} { /var/lib/pacman/local/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/pts/@{int} rw, include if exists diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 5a78db048..e6728a606 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 708d2b585..014073443 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /etc/pacman.conf r, /etc/pacman.d/*-mirrorlist r, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /etc/pacman.d/mirrorlist r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 3f46e2fa6..82f935dcb 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -57,8 +57,6 @@ profile aurpublish @{exec_path} { owner @{tmp}/tmp.@{rand10} rw, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, profile gpg { diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg new file mode 100644 index 000000000..6f4672f99 --- /dev/null +++ b/apparmor.d/groups/pacman/makepkg @@ -0,0 +1,94 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/makepkg +profile makepkg @{exec_path} { + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal send set=winch peer=pacman, + signal send set=winch peer=pacman//systemctl, + + file, + + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, + + profile gpg { + include + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + + /etc/pacman.d/gnupg/ r, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + + owner @{user_pkg_dirs}/{,**} rw, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_cache_dirs}/makepkg/src/*.asc r, + + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/tmp.@{rand10} rw, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read, + + signal send set=winch peer=pacman, + signal send set=winch peer=pacman//systemctl, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index b83ea2d3c..a9902e54b 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/{m,g,}awk rix, @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, @@ -34,6 +35,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, + @{bin}/objcopy rix, + @{bin}/objdump rix, @{bin}/tput rix, @{bin}/xz rix, @{bin}/zcat rix, @@ -45,8 +48,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/modprobe rPx, @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, + @{bin}/sbctl rPx, @{lib}/initcpio/busybox rix, + @{lib}/initcpio/post/** rix, @{lib}/ld-*.so* rix, /etc/fstab r, @@ -82,15 +87,22 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, - # Temp files - owner @{run}/initramfs/{,**} rw, - owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, + /usr/share/systemd/bootctl/** r, + + /etc/kernel/** r, + + /tmp/mkinitcpio.@{rand6} rw, + /tmp/mkinitcpio.@{rand6}.tmp rw, owner @{tmp}/mkinitcpio.@{rand6} rw, owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initramfs/{,**} rw, + owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, @{sys}/class/block/ r, @{sys}/devices/{,**} r, + @{sys}/firmware/efi/fw_platform_size r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 3089b2f3e..f537afdb3 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 417e48504..64a813bf4 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,10 +32,14 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/tput rix, @{bin}/vim rix, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{user_cache_dirs}/vim/{,**} rw, + # packages files / r, /boot/{,**} r, - /etc/{,**} r, + /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, /usr/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 1f3d9ad8b..1c7015b1f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,16 +37,17 @@ profile pacman @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, - signal (send) set=(usr1) peer=gvfsd, + signal send set=usr1 peer=gvfsd, + signal receive set=winch peer=makepkg//sudo, @{exec_path} mrix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - + # Pacman hooks & install scripts @{sh_path} rix, @{coreutils_path} rix, @@ -64,7 +65,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/ghc-pkg{,-*} rPx, + @{bin}/ghc-pkg-@{version} rix, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{bin}/groupadd rPx, @@ -100,6 +101,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/vercmp rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @{lib}/vlc/vlc-cache-gen rPx, /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, @@ -118,11 +120,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files - @{user_pkg_dirs}/**/ r, - @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, + @{user_pkg_dirs}/{,**} r, owner /var/lib/pacman/{,**} rwl, - owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/alpm_@{rand6}/{,**} rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, owner @{tmp}/checkup-db-@{int}/db.lck rw, @@ -170,7 +171,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gpg-connect-agent rix, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, @{HOME}/@{XDG_GPG_DIR}/*.conf r, @@ -193,10 +194,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + signal send set=cont peer=child-pager, + signal receive set=winch peer=makepkg//sudo, + + @{pager_path} rPx -> child-pager, /etc/machine-id r, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index ebf99cbff..b57ab746d 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 39389f42f..3a6bbd7fe 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index 91e3b367d..b5a330d75 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index c54523d86..45336a100 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index fd449cd10..a039db414 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 8068d83dc..de0d33e16 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index dcbfe6e28..5aa612a3c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index d75527d79..ce7b931ca 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index aae81662b..a0be0e39b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules profile pacman-hook-gtk4-querymodules @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a182b23ca..09529cbb0 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,9 +37,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { / r, /boot/ r, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, + /boot/efi/boot/boot*.efi rw, /boot/initramfs-*-fallback.img rw, + /boot/initramfs-*.img rw, + /boot/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 8d26de0b4..7c0006153 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 894ba266c..1254f97e2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index f704f5ddb..2c32024a2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/touch rix, @{bin}/journalctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/systemd-hwdb rPx, + @{bin}/systemd-notify rPx, @{bin}/systemd-sysusers rPx, @{bin}/systemd-tmpfiles rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 0375c7863..728bd84d2 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -65,9 +65,10 @@ profile pacman-key @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, - /dev/pts/@{int} rw, - /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index 7b277fb3e..588c39ccc 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) { /etc/xdg/reflector/reflector.conf r, /etc/pacman.d/mirrorlist rw, - owner @{user_cache_dirs}/mirrorstatus.json rw, /var/cache/reflector/mirrorstatus.json rw, + owner @{user_cache_dirs}/mirrorstatus.json r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay new file mode 100644 index 000000000..e101fc06f --- /dev/null +++ b/apparmor.d/groups/pacman/yay @@ -0,0 +1,110 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/yay +profile yay @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{editor_path} Cx -> editor, + @{bin}/git Cx -> git, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/makepkg Px, + @{bin}/pacman-conf Px, + @{bin}/sudo Cx -> sudo, + + /var/lib/pacman/** r, + + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwkl -> @{user_cache_dirs}/yay/**, + + owner @{user_config_dirs}/yay/{,**} rw, + + profile git { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/git* mrix, + @{lib}/git{,-core}/git* mrix, + + @{pager_path} rPx -> child-pager, + @{bin}/gpg{2,} rPx -> yay//gpg, + + /usr/share/git{,-core}/{,**} r, + + owner @{user_build_dirs}/**/.git/** r, + owner @{user_pkg_dirs}/**/.git/** r, + owner @{user_projects_dirs}/**/.git/** r, + + owner @{HOME}/.gitconfig r, + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, + owner @{user_config_dirs}/git/{,*} r, + + include if exists + } + + profile editor { + include + include + + owner @{HOME}/**/ r, # For pwd + + owner @{user_cache_dirs}/yay/*/** rw, + + include if exists + } + + profile gpg { + include + include + + @{bin}/gpg{,2} mr, + @{bin}/gpg-agent rPx, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 672d9b5e5..3deddb092 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 1dac2be00..69f594f7a 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,8 +23,9 @@ profile ssh @{exec_path} { @{exec_path} mrix, - @{bin}/{,b,d,rb}ash rix, - @{bin}/{c,k,tc,z}sh rix, + @{bin}/@{shells} rUx, + + @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index ec82ea1bc..72d6618e6 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,8 @@ profile ssh-agent @{exec_path} { include include - signal (receive) set=term peer=cockpit-bridge, - signal (receive) set=term peer=gnome-keyring-daemon, + signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, @@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner @{tmp}/ssh-*/ rw, - owner @{tmp}/ssh-*/agent.* rw, + owner @{tmp}/ssh-@{rand12}/ rw, + owner @{tmp}/ssh-@{rand12}/agent.@{int} rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, @@ -34,6 +34,7 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/gcr/.ssh w, /dev/tty@{int} rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 66e05b5ec..237a5ff76 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile ssh-agent-launch @{exec_path} { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rix, + @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, @{bin}/grep rix, @@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} { include dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1), + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index f31ac1195..af43fb046 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper new file mode 100644 index 000000000..d913e2a2d --- /dev/null +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ssh/ssh-sk-helper +profile ssh-sk-helper flags=(complain) { + include + + @{exec_path} mr, + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, + + /dev/hidraw@{int} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 1410d090f..2f704fb37 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -11,7 +11,7 @@ # If you want real protection disallow SSH access. -abi , +abi , include @@ -67,6 +67,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/nologin rPx, @{bin}/passwd rPx, @{lib}/openssh/sftp-server rPx, + @{lib}/ssh/sshd-session rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -96,12 +97,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, + @{att}/@{run}/systemd/sessions/@{int}.ref rw, + @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 7623cd87a..a367b0f7a 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 2bd8c4c78..05655d308 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,9 +22,7 @@ profile bootctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, @@ -69,8 +67,8 @@ profile bootctl @{exec_path} { @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, - @{PROC}/sys/kernel/random/poolsize r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/random/poolsize r, + owner @{PROC}/@{pid}/cgroup r, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index baf89561d..dcb60493e 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,14 +37,13 @@ profile busctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 7c4149bee..89a19fa11 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,9 +22,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{bin}/gdb rCx -> gdb, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 47e7f531e..65e6ed11f 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 4b5f11810..3c5595345 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -57,7 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { deny network inet stream, deny network inet6 stream, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 46f67b325..2cac865a4 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,9 +15,7 @@ profile localectl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /usr/share/kbd/keymaps/{,**} r, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 345957e3f..5386662c0 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -2,26 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/loginctl profile loginctl @{exec_path} { include + include include - include - include include capability net_admin, capability sys_resource, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, + + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 4c841e97d..dee55195d 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -35,9 +35,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/udev/hwdb.bin r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power index 44cbad98c..1353547f0 100644 --- a/apparmor.d/groups/systemd/systemd-ac-power +++ b/apparmor.d/groups/systemd/systemd-ac-power @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index deb22cbc1..09d432b2f 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,9 +28,7 @@ profile systemd-analyze @{exec_path} { @{lib}/systemd/system-environment-generators/* rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/man rPx, /usr/ r, diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password index 9a5e04306..6eec2ee6b 100644 --- a/apparmor.d/groups/systemd/systemd-ask-password +++ b/apparmor.d/groups/systemd/systemd-ask-password @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 066dbf33e..f67cb301c 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 8fae04706..d34bbe4cb 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 0ccfd68c0..967d776d2 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index ed7254339..d0ded5ee7 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,7 @@ profile systemd-cgls @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index 9ae69cd69..90ecc99f8 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,7 @@ profile systemd-cgtop @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 1902c6799..2e841dc51 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted include include - # userns, + userns, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 6ca3e3237..5e4b33a12 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 9ac4e8239..7cf546a56 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 63e97171c..35f4afbc4 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 991a787d2..7dc10fd46 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,23 +11,28 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_admin, capability sys_resource, - mount options=(rw, rslave) -> /, - mount options=(rw, nodev) -> /mnt/*/, - mount -> /tmp/dissect-@{rand6}/, + mount -> /tmp/dissect-@{rand6}/, + mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, + mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/{,**/}, + mount options=(rw nodev) -> /mnt/*/, + mount options=(rw rshared rslave) -> /, - signal (send) set=(cont) peer=child-pager, + umount @{run}/systemd/dissect-root/, + + signal send set=cont peer=child-pager, + + ptrace read peer=unconfined, @{exec_path} mr, @{bin}/fsck rPx, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, # Location of file system OS images @{user_build_dirs}/{,**} r, @@ -37,14 +42,19 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dissect-@{rand6}/{,**} rw, + @{run}/systemd/dissect-root/ rw, + @{run}/systemd/dissect-root/** rwlk, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, - @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, /dev/btrfs-control rw, /dev/loop-control rwk, - /dev/loop* rwk, + /dev/loop* rwk, + /dev/mapper/control w, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index c292c1d96..0a38bf0fb 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 2d6326d71..a7290dc48 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 9fc59bfe0..33a433a09 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd/systemd-generator-bless-boot index e09b01d5a..32e2aac65 100644 --- a/apparmor.d/groups/systemd/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd/systemd-generator-bless-boot @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init index d57de673b..2737a94f4 100644 --- a/apparmor.d/groups/systemd/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd/systemd-generator-cryptsetup index e29178fbd..1979dba1d 100644 --- a/apparmor.d/groups/systemd/systemd-generator-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-generator-cryptsetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd/systemd-generator-debug index 2d83cc0ba..4ce9d2974 100644 --- a/apparmor.d/groups/systemd/systemd-generator-debug +++ b/apparmor.d/groups/systemd/systemd-generator-debug @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index b88d2387f..6b42e55ed 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd/systemd-generator-environment-arch index 6311ad9c4..738144547 100644 --- a/apparmor.d/groups/systemd/systemd-generator-environment-arch +++ b/apparmor.d/groups/systemd/systemd-generator-environment-arch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak index e03b70cca..a4ba2afe1 100644 --- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab index a15100300..55736d142 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty index 92b5a4ffa..0eadabec8 100644 --- a/apparmor.d/groups/systemd/systemd-generator-getty +++ b/apparmor.d/groups/systemd/systemd-generator-getty @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto index 613380b43..0d6c09c6b 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume index dbfee2fcd..7c5e9ec80 100644 --- a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume +++ b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd/systemd-generator-integritysetup index 9eb46a451..72ef28061 100644 --- a/apparmor.d/groups/systemd/systemd-generator-integritysetup +++ b/apparmor.d/groups/systemd/systemd-generator-integritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree index c38e3690b..f50544f81 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ostree +++ b/apparmor.d/groups/systemd/systemd-generator-ostree @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd/systemd-generator-run index 272073edc..39c8b0fd6 100644 --- a/apparmor.d/groups/systemd/systemd-generator-run +++ b/apparmor.d/groups/systemd/systemd-generator-run @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd/systemd-generator-system-update index f9d09d634..557e4ab6e 100644 --- a/apparmor.d/groups/systemd/systemd-generator-system-update +++ b/apparmor.d/groups/systemd/systemd-generator-system-update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index 8ca09d56b..c42548ef5 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment index 1abceb364..db128405f 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile systemd-generator-user-environment @{exec_path} { include include + capability net_admin, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd/systemd-generator-veritysetup index a0084a26b..97776312f 100644 --- a/apparmor.d/groups/systemd/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 2fae7144d..5fe748abd 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index 8dc8a825d..f0fe98a16 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 39fcd9886..04cbbaf5e 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 4ee18fb34..5664cde02 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128 index afa516e39..f0944db26 100644 --- a/apparmor.d/groups/systemd/systemd-id128 +++ b/apparmor.d/groups/systemd/systemd-id128 @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 755cfe5ee..2be38e6ba 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,13 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + signal receive set=term peer=packagekitd, + @{exec_path} mr, @{bin}/cat rix, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 29191a95d..4f95bed40 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,7 +49,9 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+acpi:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+ieee80211:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+mdio_bus:* r, @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, @@ -59,7 +61,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, @{run}/udev/data/b254:@{int} r, # for /dev/zram* - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c149f37ee..48318da8f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 9a0a2c7d7..53dd0acf8 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -3,7 +3,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,7 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, - # mqueue r type=posix /, + mqueue r type=posix /, unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, @@ -96,8 +96,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, - @{run}/systemd/journal/socket rw, + @{run}/systemd/inhibit/@{int}{,.ref} rw, @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 26e5e5980..105f72e46 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index cb0eab79b..3a111f7f3 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 05ec6dc34..8556e51d7 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 4ecbd0acb..abb437f83 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index 4db3dcacf..b78de3312 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,7 @@ profile systemd-mount @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index cce35fae6..e22d89629 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,6 +17,8 @@ profile systemd-network-generator @{exec_path} { owner @{run}/systemd/network/{,**} rw, + @{run}/credentials/systemd-network-generator.service/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 18f1e6ab2..f38564ae1 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -50,9 +50,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, - / r, + @{att}/ r, - owner /var/lib/systemd/network/ r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 8e9ec3438..0d5e40730 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index 7be0e88ed..aafb0d74c 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 9ebe87c49..e5dce916c 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{run}/systemd/io.system.ManagedOOM rw, - @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, - owner @{run}/systemd/journal/socket w, + @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 7ab73f52e..747527776 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index a54c5d8db..bee3df8df 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index e9753150c..be33d39cd 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 44ab5cfaf..8c63a1d5a 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve index cfb0732dc..f716aa3af 100644 --- a/apparmor.d/groups/systemd/systemd-resolve +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 7b2e7ffa9..4f9f965f5 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -1,8 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -41,17 +41,16 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, - @{run}/systemd/resolve/{,**} rw, - owner @{run}/systemd/journal/socket w, + @{run}/systemd/netif/links/* r, + @{run}/systemd/notify rw, + @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 1ff164b86..ff9e2d540 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 02abda424..e9887c0cb 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a17c13631..34916ecc6 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} { @{sys}/power/state rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub similarity index 93% rename from apparmor.d/groups/systemd/systemd-sleep-grub2 rename to apparmor.d/groups/systemd/systemd-sleep-grub index e7ae09355..b2b42bf44 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub2 +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} { /etc/sysconfig/bootloader r, - @{PROC}/@{pid}/maps r, - /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 9a282e7f8..71008c96d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ff89f5a7..4ebb4851f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index d854cd7f7..94e2e8daf 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 03fb69356..60a28d4af 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 9d1758e25..4f2cce637 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-socket-proxyd b/apparmor.d/groups/systemd/systemd-socket-proxyd index 0a9c75aa3..7290e6d0c 100644 --- a/apparmor.d/groups/systemd/systemd-socket-proxyd +++ b/apparmor.d/groups/systemd/systemd-socket-proxyd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index bb0f082b9..094366391 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index f209745fc..454105011 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 18ef93df0..d6b1cb266 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 4d9ae9ce1..e2b6caaa7 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 51fd6358e..de544c9d7 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,7 +38,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, - owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 595ccf7da..f591ef9f7 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index f1da3f8a6..6083fc233 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 8b1351997..dae5ae67e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,6 +37,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{sh_path} rix, @{coreutils_path} rix, + @{pager_path} rPx -> child-pager, @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, @{bin}/ddcutil rPx, @@ -44,16 +45,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, - @{bin}/less rPx -> child-pager, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lvm rPx, @{bin}/mknod rix, - @{bin}/more rPx -> child-pager, @{bin}/multipath rPx, @{bin}/nfsrahead rix, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/pager rPx -> child-pager, @{bin}/perl rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, @@ -89,15 +87,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, - @{run}/udev/ rw, - @{run}/udev/** rwk, - @{run}/credentials/systemd-udev-load-credentials.service/ r, + @{run}/modprobe.d/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{run}/udev/ rw, + @{run}/udev/** rwk, + @{sys}/** rw, @{PROC}/@{pid}/mountinfo r, @@ -124,8 +123,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { # / r, - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index 046bc3e65..c17be7ab2 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 60227f08a..8703709c4 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index cd70cc8bd..84dfb27ee 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 25e5befef..6f16b2f19 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f591faf3d..a38e455f3 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index c7e4b6292..29641fd74 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 000bd6957..5f28050c1 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 159d1442a..0e3a99ba8 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,14 +16,12 @@ profile userdbctl @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/shadow r, /etc/gshadow r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 2e8c20737..f6406811d 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/systemd/zramctl index 0d1632924..9dbf23243 100644 --- a/apparmor.d/groups/systemd/zramctl +++ b/apparmor.d/groups/systemd/zramctl @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,13 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, + @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, /dev/ r, /dev/zram@{int} rw, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index bc03772b6..ed39c7583 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index dec9a5d7d..665b3eaca 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0fd5fb7d9..25d136722 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/md5sum rix, - @{bin}/pkexec rPx, # TODO: rCx or something + @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @@ -79,12 +79,12 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, - @{run}/snapd.socket rw, + @{run}/snapd.socket rw, - /tmp/[a-z0-9]* rw, - /tmp/apport_core_* rw, - /tmp/launchpadlib.cache.[a-z0-9]*/ rw, - /tmp/tmp[a-z0-9]*/{,**} rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apport_core_@{rand8} rw, + owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, + owner @{tmp}/tmp@{rand8}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} { include if exists } + profile pkexec { + include + include + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index c200de4d5..a04fc771d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 54c116677..60569edd2 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,8 +21,6 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{run}/cloud-init/cloud-id-nocloud r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index a6db303e5..b2fe83f6b 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c66587969..c5c31edd3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, @{bin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 4ee62b2e0..86c211f24 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 0752e6358..3b4280e33 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 93059dc34..0023b48cb 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 14f21729f..4d5ecb46a 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,17 +14,10 @@ profile livepatch-notification @{exec_path} { include include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/{,**} r, - - @{run}/user/@{uid}/gdm/Xauthority r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 0c7d008e8..ee9e22e21 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated index 39ce41c73..a42b3ba1c 100644 --- a/apparmor.d/groups/ubuntu/notify-updates-outdated +++ b/apparmor.d/groups/ubuntu/notify-updates-outdated @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index bba0add83..0e6641977 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 6876687e2..7398fc404 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - # mqueue r type=posix /, + mqueue r type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro deleted file mode 100644 index c00b07587..000000000 --- a/apparmor.d/groups/ubuntu/pro +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pro -profile pro @{exec_path} { - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 3130f196e..08a54df0a 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 2def932dc..93fd9ffcc 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner @{tmp}/???????? rw, # unconventional '_' tail - owner @{tmp}/tmp????????/ w, # change to 'c' - owner @{tmp}/tmp????????/apt.conf w, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ w, # change to 'c' + owner @{tmp}/tmp@{word8}/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 9db3ec332..4715f570c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,35 +20,15 @@ profile software-properties-gtk @{exec_path} { include include - dbus bind bus=session name=com.ubuntu.SoftwareProperties, - dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties - interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} - peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), - dbus send bus=system path=/ - interface=com.ubuntu.SoftwareProperties - peer=(name=:*, label=software-properties-dbus), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), - - dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon @{exec_path} mr, @{bin}/ r, + @{sh_path} rix, @{bin}/python3.@{int} r, - @{bin}/{,da,ba}sh rix, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @@ -73,9 +53,9 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner @{tmp}/???????? rw, - owner @{tmp}/tmp????????/ rw, # change to 'c' - owner @{tmp}/tmp????????/apt.conf rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ rw, + owner @{tmp}/tmp@{word8}/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 08886b640..58323b8ff 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile subiquity-console-conf @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, @{bin}/ip rix, @@ -109,6 +109,7 @@ profile subiquity-console-conf @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index bb5f81b82..abbde2455 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -87,6 +87,7 @@ profile ubuntu-advantage @{exec_path} { /dev/kmsg w, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index 2e35697c0..5265a2df3 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,17 +14,8 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) capability sys_nice, - dbus bind bus=system name=com.canonical.UbuntuAdvantage, - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=software-properties-gtk), - - dbus receive bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=software-properties-gtk), + #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 2f539bac8..bf3d4c6c0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,10 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/{,**} r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info index a444aada3..6806a4e27 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-distro-info +++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 5edc9ebd2..19273f449 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,8 +23,6 @@ profile ubuntu-report @{exec_path} { owner @{user_cache_dirs}/ubuntu-report/{,*} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0ee70c39b..119ac517c 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -2,14 +2,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -19,6 +18,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -70,7 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - @{run}/systemd/inhibit/*.ref w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index b0e62994f..86ac61f41 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -45,6 +45,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index bf1acfb1b..b0101504c 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 999502dbc..36fae9ce3 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,24 +25,7 @@ profile update-notifier @{exec_path} { unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - - dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu} - interface=org.freedesktop.DBus.Properties - member=={Get,GetAll} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu - interface=com.canonical.dbusmenu - member={AboutToShow,GetGroupProperties,GetLayout} - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/ayatana/NotificationItem/* - interface=org.kde.StatusNotifierItem - peer=(name=org.freedesktop.DBus, label=gnome-shell), + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell @{exec_path} mr, @@ -53,7 +36,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked + @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/systemctl rCx -> systemctl, @@ -85,6 +68,20 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=update-notifier, + + @{lib}/update-notifier/package-system-locked Px, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 21914faf8..a27f41fc0 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,6 @@ profile cni-bandwidth @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge index 37de32ae0..1e27d04a3 100644 --- a/apparmor.d/groups/virt/cni-bridge +++ b/apparmor.d/groups/virt/cni-bridge @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-bridge @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 7c39a7ad2..878a09119 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -41,8 +41,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall index 866b9dc96..d5171e8dc 100644 --- a/apparmor.d/groups/virt/cni-firewall +++ b/apparmor.d/groups/virt/cni-firewall @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-firewall @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel index 05929a64c..6bdccec8c 100644 --- a/apparmor.d/groups/virt/cni-flannel +++ b/apparmor.d/groups/virt/cni-flannel @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local index bf555cfd8..5f645ce3f 100644 --- a/apparmor.d/groups/virt/cni-host-local +++ b/apparmor.d/groups/virt/cni-host-local @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index d05a303de..30e2800ce 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) { @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index db29f252c..bd0206c4c 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile cni-portmap @{exec_path} { @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning index ee7133b31..c6cc1f1dc 100644 --- a/apparmor.d/groups/virt/cni-tuning +++ b/apparmor.d/groups/virt/cni-tuning @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-tuning @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft deleted file mode 100644 index d19f875bf..000000000 --- a/apparmor.d/groups/virt/cni-xtables-nft +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xtables-nft-multi -profile cni-xtables-nft { - include - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - @{bin}/xtables-legacy-multi mr, - - /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, - - @{PROC}/@{pids}/net/ip_tables_names r, -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass index daa5cf009..b46a415ac 100644 --- a/apparmor.d/groups/virt/cockpit-askpass +++ b/apparmor.d/groups/virt/cockpit-askpass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index c4337d77a..7487c8e70 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include - include include include include @@ -23,24 +22,50 @@ profile cockpit-bridge @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, + network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=term peer=cockpit-pcp, - signal (send) set=term peer=dbus-daemon, - signal (send) set=term peer=journalctl, - signal (send) set=term peer=ssh-agent, - signal (send) set=term peer=sudo, - signal (send) set=term peer=unconfined, + signal send set=term peer=cockpit-bridge//sudo, + signal send set=term peer=cockpit-pcp, + signal send set=term peer=dbus-daemon, + signal send set=term peer=journalctl, + signal send set=term peer=ssh-agent, + signal send set=term peer=unconfined, @{exec_path} mr, - @{bin}/journalctl rPx, - @{lib}/cockpit/cockpit-pcp rPx, - @{lib}/cockpit/cockpit-ssh rPx, + @{bin}/cat ix, + @{bin}/date ix, + @{bin}/find ix, + @{bin}/ip ix, + @{bin}/python3.@{int} ix, + @{bin}/test ix, + @{bin}/file ix, + + @{bin}/chage Px, + @{bin}/dmidecode Px, + @{bin}/findmnt Px, + @{bin}/journalctl Px, + @{bin}/last Px, + @{bin}/lastlog Px, + @{bin}/lscpu Px, + @{bin}/passwd Px, + @{bin}/ssh-agent Px, + @{bin}/sudo Cx -> sudo, + @{bin}/udevadm Cx -> udevadm, + @{bin}/virsh rPUx, + @{bin}/virt-install PUx, # TODO: rPx + @{lib}/cockpit/cockpit-pcp Px, + @{lib}/cockpit/cockpit-ssh Px, + + # The shell is not confined on purpose. + @{bin}/@{shells} Ux, - /usr/share/cockpit/{,**} r, /usr/{,local/}share/ r, + /usr/share/cockpit/{,**} r, + /usr/share/file/** r, + /usr/share/iproute2/* r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, @@ -51,6 +76,9 @@ profile cockpit-bridge @{exec_path} { /etc/shadow r, /etc/shells r, + / r, + @{HOME}/ r, + owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, owner @{user_share_dirs}/ r, @@ -58,12 +86,14 @@ profile cockpit-bridge @{exec_path} { @{run}/utmp r, @{sys}/class/hwmon/ r, + @{sys}/class/net/ r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/**/ r, @{sys}/fs/cgroup/**/cpu.{stat,weight} r, @{sys}/fs/cgroup/**/memory* r, + @{sys}/kernel/kexec_crash_size r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -80,6 +110,25 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, + profile sudo { + include + include + + signal (send receive) set=term peer=cockpit-bridge, + + @{bin}/cockpit-bridge Px, + @{lib}/cockpit/cockpit-askpass Px, + + include if exists + } + + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure index 0ef40f4ba..7429b0021 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-ensure +++ b/apparmor.d/groups/virt/cockpit-certificate-ensure @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index 042c9cdad..ac9dd5f6f 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/openssl rix, - @{bin}/rm rix, - @{bin}/sscg rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/id rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/openssl rix, + @{bin}/rm rix, + @{bin}/sscg rix, + @{bin}/tr rix, /etc/machine-id r, /etc/cockpit/ws-certs.d/* w, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index d8e7f81de..c2a7455ce 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index c1afe3fbf..8008fe360 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 74ddd9e70..67ecd800e 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{run}/cockpit/active.motd r, + @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, + @{run}/motd.d/{,*} r, @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, - @{run}/motd.d/{,*} r, - @{run}/cockpit/active.motd r, /var/log/btmp rw, /var/log/lastlog rw, diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh index 2903d9eb9..e81eb492f 100644 --- a/apparmor.d/groups/virt/cockpit-ssh +++ b/apparmor.d/groups/virt/cockpit-ssh @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index f83ac2c7b..0037b132c 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index eaf340c6b..c1a39a895 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} { capability net_admin, capability sys_ptrace, - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 589765f35..c78f63a63 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 61e7e8fa1..b14a1e36f 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f85a3571c..627515640 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/apparmor_parser rPx, - @{bin}/containerd-shim-runc-v2 rPUx, + @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, @@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, - /var/lib/containerd/{,**} rwk, - /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l, + /var/lib/containerd/{,**} rwlk, /var/lib/docker/containerd/{,**} rwk, /var/lib/kubelet/seccomp/{,**} r, /var/lib/security-profiles-operator/{,**} r, @@ -92,7 +91,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) { owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index c705c0cc8..bff45ca39 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,7 +49,6 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index d549168ee..2861514aa 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,8 +20,6 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index f552c5289..2ea35f7b9 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,30 +27,42 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - mount /var/lib/docker/overlay2/**/, - mount options=(rw, bind) -> /run/docker/netns/*, - mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw, rprivate) -> /.pivot_root@{int}/, - mount options=(rw, rslave) -> /, + mount /tmp/containerd-mount@{int}/, + mount /var/lib/docker/buildkit/**/, + mount /var/lib/docker/overlay2/**/, + mount /var/lib/docker/tmp/buildkit-mount@{int}/, + mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, + mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, + mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, + mount options=(rw rprivate) -> /.pivot_root@{int}/, + mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, + mount options=(rw rslave) -> /, + + remount /tmp/containerd-mount@{int10}/, + remount /var/lib/docker/**/, umount /.pivot_root@{int}/, umount /run/docker/netns/*, - umount /var/lib/docker/overlay*/**/, + umount /tmp/containerd-mount@{int}/, + umount /var/lib/docker/**/, - pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, - pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, + pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, + pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/, + pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, - ptrace (read) peer=docker-*, - ptrace (read) peer=unconfined, + ptrace read peer=docker-*, + ptrace read peer=runc, + ptrace read peer=unconfined, - signal (send) set=int peer=docker-proxy, - signal (send) set=kill peer=docker-*, - signal (send) set=term peer=containerd, + signal send set=int peer=docker-proxy, + signal send set=kill peer=docker-*, + signal send set=term peer=containerd, @{exec_path} mrix, @@ -68,14 +80,23 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { # TODO: should be in a sub profile started with pivot_root, not supported yet. /{,**} rwl, + /etc/docker/{,**} r, + + @{att}/ r, + + owner @{att}/@{lib}/containerd/** rw, owner @{lib}/docker/overlay2/*/work/{,**} rw, + owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + owner @{run}/docker/ rw, + owner @{run}/docker/** rwlk, + owner @{run}/docker.pid rw, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, @@ -87,16 +108,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/threads-max r, @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw, + @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw, @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ r, + /dev/**/ r, include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 5905d4895..96e50ba35 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -130,7 +130,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, @@ -163,7 +162,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index 8172d00fc..c762515a4 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 75c7d853b..44d24f1ae 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 376749d9e..db6d5d377 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -10,7 +10,7 @@ # Warning: Such a profile is limited as it gives access to a lot of resources. -abi , +abi , include @@ -68,6 +68,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=gnome-boxes, ptrace (read,trace) peer=libvirt-@{uuid}, ptrace (read,trace) peer=libvirt-dbus, ptrace (read,trace) peer=unconfined, @@ -93,15 +94,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/libvirt/libvirt_iohelper rix, @{lib}/libvirt/libvirt_parthelper rix, + @{lib}/{,qemu/}qemu-bridge-helper rPx, + @{lib}/{,qemu/}vhost-user-gpu rPUx, + @{lib}/{,qemu/}virtiofsd rux, # TODO: WIP @{lib}/udev/scsi_id rPUx, @{lib}/xen-*/bin/libxl-save-helper rPUx, @{lib}/xen-*/bin/pygrub rPUx, @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP - - /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, @{bin}/dmidecode rPx, @{bin}/dnsmasq rPx, @@ -131,6 +131,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/edk2*/{,**} rk, /usr/share/hwdata/* r, + /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, @@ -152,11 +153,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @{run}/lock/LCK.._pts_@{int} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/notify w, @{run}/utmp rk, @@ -289,6 +291,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/status r, /dev/net/tun rw, + + include if exists } include if exists diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper new file mode 100644 index 000000000..e462eeca1 --- /dev/null +++ b/apparmor.d/groups/virt/qemu-bridge-helper @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper +profile qemu-bridge-helper @{exec_path} { + include + + capability net_admin, + capability setpcap, + + network inet stream, + + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + + signal receive set=term peer=libvirtd, + + @{exec_path} mr, + + /etc/qemu/bridge.conf r, + + @{sys}/devices/system/node/ r, + + owner @{PROC}/@{pids}/status r, + + /dev/net/tun rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index abbef1f88..74a93737b 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 96d135912..4737dd806 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{lib}/gconv/gconv-modules rm, @{lib}/gconv/gconv-modules.d/{,*} r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/interface/ rw, owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 50efd188b..905e2c170 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile virtiofsd @{exec_path} { include - # userns, + userns, capability chown, capability dac_override, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index 44c5e20ef..ea9336cef 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 1a3ecb06b..44bf06ba0 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,12 +24,14 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, owner @{run}/user/@{uid}/common/system.token rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/common/system.token rwk, @{run}/libvirt/virtlogd-sock rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index a2c02368b..42e13ef64 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,12 +20,13 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{bin}/dnsmasq rPx, - /etc/libvirt/libvirt.conf r, + /etc/libvirt/*.conf r, owner /var/lib/libvirt/dnsmasq/*.macs* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/network/default.pid r, - @{run}/systemd/inhibit/*.ref rw, @{run}/utmp rk, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/network/{,**} rwk, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 50b8e4889..0b48d63fd 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,11 +29,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, - /etc/libvirt/libvirt.conf r, - /etc/libvirt/virtnodedevd.conf r, + /etc/libvirt/*.conf r, /etc/mdevctl.d/{,**} r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/nodedev/ rw, owner @{run}/libvirt/nodedev/driver.pid wk, @@ -62,7 +62,9 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @@ -89,6 +91,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/mtrr w, + owner @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index cdded1152..9b3e7dda4 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libvirt/secrets/ rw, owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 7c6f7207b..00565fcf5 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -4,7 +4,7 @@ # TODO: Similar with virtqemud. Could be merged? -abi , +abi , include @@ -25,8 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper - /etc/libvirt/**/ r, - /etc/libvirt/libvirt.conf r, + /etc/libvirt/{,**} r, # For disk images @{MOUNTS}/ r, @@ -55,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/storage/{,**} rwk, owner @{run}/virtstoraged.pid rwk, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables new file mode 100644 index 000000000..71f75b642 --- /dev/null +++ b/apparmor.d/groups/virt/xtables @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +profile xtables { + include + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/iproute2/{,**} r, + + /etc/iproute2/{,**} r, + /etc/iptables/{,**} rw, + /etc/libnl/classid r, + /etc/nftables.conf rw, + + @{run}/xtables.lock rwk, + + @{PROC}/@{pids}/net/ip_tables_names r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index cb263922c..d39517569 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector b/apparmor.d/groups/whonix/msgcollector index 0c3038d1e..05b07ec47 100644 --- a/apparmor.d/groups/whonix/msgcollector +++ b/apparmor.d/groups/whonix/msgcollector @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-br-add b/apparmor.d/groups/whonix/msgcollector-br-add index be5b7dd69..587094df6 100644 --- a/apparmor.d/groups/whonix/msgcollector-br-add +++ b/apparmor.d/groups/whonix/msgcollector-br-add @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-generic-gui-message b/apparmor.d/groups/whonix/msgcollector-generic-gui-message index 8b52e2db7..46b7847ff 100644 --- a/apparmor.d/groups/whonix/msgcollector-generic-gui-message +++ b/apparmor.d/groups/whonix/msgcollector-generic-gui-message @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-striphtml b/apparmor.d/groups/whonix/msgcollector-striphtml index 1e4e3d9ab..8cf1dec71 100644 --- a/apparmor.d/groups/whonix/msgcollector-striphtml +++ b/apparmor.d/groups/whonix/msgcollector-striphtml @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher index 02433106d..fd1a9f034 100644 --- a/apparmor.d/groups/whonix/msgdispatcher +++ b/apparmor.d/groups/whonix/msgdispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} { include include - @{bin}/sudo mr, @{lib}/msgcollector/* rPx, owner @{run}/msgcollector/user/msgdispatcher_x_* r, diff --git a/apparmor.d/groups/whonix/msgdispatcher-autostart b/apparmor.d/groups/whonix/msgdispatcher-autostart index c4dae811e..d292e3850 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-autostart +++ b/apparmor.d/groups/whonix/msgdispatcher-autostart @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-delete b/apparmor.d/groups/whonix/msgdispatcher-delete index cf69e77c8..2a5839e0c 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-delete +++ b/apparmor.d/groups/whonix/msgdispatcher-delete @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch index f42280e1a..0adfe2797 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-dispatch +++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation index e74d2f26a..a6f7ec440 100644 --- a/apparmor.d/groups/whonix/open-link-confirmation +++ b/apparmor.d/groups/whonix/open-link-confirmation @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-abort-on-locked-password b/apparmor.d/groups/whonix/pam-abort-on-locked-password index 79cb70d28..99ac5616d 100644 --- a/apparmor.d/groups/whonix/pam-abort-on-locked-password +++ b/apparmor.d/groups/whonix/pam-abort-on-locked-password @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index d54cab832..51053ccee 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam_faillock_not_if_x b/apparmor.d/groups/whonix/pam_faillock_not_if_x index c0d05d8a7..1934be8d5 100644 --- a/apparmor.d/groups/whonix/pam_faillock_not_if_x +++ b/apparmor.d/groups/whonix/pam_faillock_not_if_x @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index fdacd13d4..e76570b34 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index 21b457aca..d34f8087c 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-clock-jump b/apparmor.d/groups/whonix/sdwdate-clock-jump index f70da1977..02b0e866b 100644 --- a/apparmor.d/groups/whonix/sdwdate-clock-jump +++ b/apparmor.d/groups/whonix/sdwdate-clock-jump @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 642b14b46..23c0a6df4 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 0b952ce19..113f7504c 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-wrapper b/apparmor.d/groups/whonix/sdwdate-wrapper index fe8390da9..19713faba 100644 --- a/apparmor.d/groups/whonix/sdwdate-wrapper +++ b/apparmor.d/groups/whonix/sdwdate-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser index 48e2f0f08..1a6f4e26a 100644 --- a/apparmor.d/groups/whonix/sensible-browser +++ b/apparmor.d/groups/whonix/sensible-browser @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index d46c227fb..4130d9cd9 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile systemcheck-canary @{exec_path} { include @{exec_path} mr, - + @{bin}/sleep rix, @{bin}/grep rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/timesanitycheck b/apparmor.d/groups/whonix/timesanitycheck index 3ca78981a..73f643099 100644 --- a/apparmor.d/groups/whonix/timesanitycheck +++ b/apparmor.d/groups/whonix/timesanitycheck @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check index 0795b0b35..8a5d8f537 100644 --- a/apparmor.d/groups/whonix/tor-bootstrap-check +++ b/apparmor.d/groups/whonix/tor-bootstrap-check @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/tor-consensus-valid-after b/apparmor.d/groups/whonix/tor-consensus-valid-after index d6656afe5..f7d806ef1 100644 --- a/apparmor.d/groups/whonix/tor-consensus-valid-after +++ b/apparmor.d/groups/whonix/tor-consensus-valid-after @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start deleted file mode 100644 index 266f8e349..000000000 --- a/apparmor.d/groups/whonix/torbrowser-start +++ /dev/null @@ -1,51 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ - -@{exec_path} = @{lib_dirs}/start-tor-browser -profile torbrowser-start @{exec_path} { - include - include - - @{exec_path} rm, - - @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env r, - @{bin}/expr rix, - @{bin}/file rix, - @{bin}/getconf rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/sh rix, - @{bin}/srm rix, - @{lib_dirs}/abicheck rix, - - @{lib_dirs}/firefox{,.real} rPx, - - /etc/magic r, - - owner @{lib_dirs}/.config/ibus/{,**} rw, - owner @{lib_dirs}/.local/* rw, - owner @{lib_dirs}/sed@{rand6} rw, - owner @{lib_dirs}/start-tor-browser.desktop rw, - owner @{lib_dirs}/TorBrowser/Tor/tor r, - - owner @{HOME}/.xsession-errors rw, - owner @{HOME}/.tb/tor-browser/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index 39ec37ae3..90aaca321 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index 5ae554b40..ccdfe2ed4 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/basename rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/str_replace rix, - @{bin}/sudo rCx -> sudo, - @{bin}/systemctl rCx -> systemctl, - @{bin}/touch rix, - @{bin}/tty rix, - @{bin}/whoami rix, + @{bin}/basename ix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mount ix, + @{bin}/str_replace ix, + @{bin}/sudo Cx -> sudo, + @{bin}/systemctl Cx -> systemctl, + @{bin}/touch ix, + @{bin}/tty ix, + @{bin}/whoami ix, - @{lib_dirs}/start-tor-browser rPx, - @{lib}/msgcollector/msgcollector rPx, - @{lib}/open-link-confirmation/open-link-confirmation rPx, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{lib}/msgcollector/msgcollector Px, + @{lib}/open-link-confirmation/open-link-confirmation Px, @{lib}/helper-scripts/* r, diff --git a/apparmor.d/groups/whonix/whonix-firewall-edit b/apparmor.d/groups/whonix/whonix-firewall-edit index aeea9cf05..28c1d01b4 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-edit +++ b/apparmor.d/groups/whonix/whonix-firewall-edit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index 87a3713d4..a818e46a6 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 53b1dba81..01e1cb418 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -2,12 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall -profile whonix-firewall @{exec_path} { +profile whonix-firewalld @{exec_path} { include include include @@ -45,7 +45,7 @@ profile whonix-firewall @{exec_path} { owner @{run}/updatesproxycheck/{,**} rw, owner @{run}/whonix_firewall/{,**} rw, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index 1bcd283fa..d8bc79b95 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/ristretto b/apparmor.d/groups/xfce/ristretto index d9151ca80..2aae3f0d3 100644 --- a/apparmor.d/groups/xfce/ristretto +++ b/apparmor.d/groups/xfce/ristretto @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 7d8a0165f..84abf8ced 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index c16365f74..d8f04d49c 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index c49f71458..350255834 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index f85e6d4cb..99971abb8 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-about b/apparmor.d/groups/xfce/xfce-about index 701e98773..0dae6e060 100644 --- a/apparmor.d/groups/xfce/xfce-about +++ b/apparmor.d/groups/xfce/xfce-about @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-appfinder b/apparmor.d/groups/xfce/xfce-appfinder index c0753acd8..4b574ce5e 100644 --- a/apparmor.d/groups/xfce/xfce-appfinder +++ b/apparmor.d/groups/xfce/xfce-appfinder @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 499980f17..248d60b7e 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-dict b/apparmor.d/groups/xfce/xfce-dict index 423c09b4e..4b34a3d0b 100644 --- a/apparmor.d/groups/xfce/xfce-dict +++ b/apparmor.d/groups/xfce/xfce-dict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-mime-helper b/apparmor.d/groups/xfce/xfce-mime-helper index 7851cd74e..b1708e58b 100644 --- a/apparmor.d/groups/xfce/xfce-mime-helper +++ b/apparmor.d/groups/xfce/xfce-mime-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index 06d2b1df3..f5c80e07c 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 44c9be032..7b192ffc5 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile xfce-panel @{exec_path} { @{bin}/exo-open rix, @{bin}/xfce4-mime-helper rix, @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rix, @{lib}/gio-launch-desktop rix, @{bin}/sudo rCx -> root, @@ -48,7 +48,7 @@ profile xfce-panel @{exec_path} { @{bin}/lsblk rPx, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index d286280f0..1c2a0263d 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e441b84b8..e486ac6d9 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/xfce4-screensavers.menu r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c2eb97c30..e7ee1080b 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index b19c11b3b..17007122e 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 88a042dad..342ffd3b4 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 345851278..0ab17ac5c 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index c01a057e7..d19e3de63 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper index 5f71150e1..236028f2e 100644 --- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index ec46f5448..3eec3377f 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 27bb23bfd..d7af2ccb9 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled index d5ebe0c10..fe350b2f6 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 2028e713f..a5b18eb4e 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain +@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit profile aa-enforce @{exec_path} { include include @@ -25,14 +25,15 @@ profile aa-enforce @{exec_path} { /etc/apparmor.d/{,**} rw, @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, - /tmp/@{rand8} rw, - /tmp/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, - owner @{PROC}/@{pid}/fd r, + @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 6d1f690f6..39c42d435 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,8 +29,6 @@ profile aa-log @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/kernel/cap_last_cap r, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7c65b9be2..7e901509f 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,24 +18,26 @@ profile aa-notify @{exec_path} { capability setuid, capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/ r, - /etc/apparmor/*.conf r, - /etc/inputrc r, - /usr/etc/inputrc.keys r, /usr/share/terminfo/** r, + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + /etc/apparmor.d/{,**} r, + /etc/apparmor/*.conf r, + /var/log/audit/audit.log r, owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-*.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 5d5840f6f..a48dc693c 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown index 263c7b9af..b625ad8c6 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/profiles-a-f/aa-unconfined new file mode 100644 index 000000000..08c401270 --- /dev/null +++ b/apparmor.d/profiles-a-f/aa-unconfined @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/aa-unconfined +profile aa-unconfined @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/netstat Px, + @{bin}/ss Px, + + /usr/share/terminfo/** r, + + /etc/apparmor/logprof.conf r, + @{etc_ro}/inputrc r, + + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner /var/tmp/@{rand8} rw, + + @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index f4252aeee..380faac53 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 4f6132c25..2914180e6 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 9372f46b4..c25d94526 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,8 @@ profile acpi-powerbtn flags=(attach_disconnected) { /etc/acpi/powerbtn-acpi-support.sh r, - @{bin}/{ba,da,}sh rix, + @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/dbus-send rix, @{bin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @@ -21,10 +20,10 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, - @{bin}/systemctl rCx -> systemctl, - @{bin}/ps rPx, - - @{bin}/fgconsole rCx -> fgconsole, + @{bin}/dbus-send Cx -> bus, + @{bin}/fgconsole Cx -> fgconsole, + @{bin}/ps Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/acpi-support/** r, @@ -44,6 +43,15 @@ profile acpi-powerbtn flags=(attach_disconnected) { /dev/tty rw, owner /dev/tty@{int} rw, + + include if exists + } + + profile bus flags=(complain) { + include + include + + include if exists } profile systemctl { diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 10600e3d7..7c1a7d4ba 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index 52e2621fe..3affe4e7a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 350f070b0..9103b25b3 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index fe3e7565f..6f2e1d5c7 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -64,6 +64,7 @@ profile adequate @{exec_path} flags=(complain) { @{lib}/@{multiarch}/ld-*.so rix, @{lib}{,x}32/ld-*.so rix, + include if exists } profile frontend flags=(complain) { @@ -98,6 +99,7 @@ profile adequate @{exec_path} flags=(complain) { /etc/shadow r, + include if exists } profile pkg-config flags=(complain) { @@ -105,6 +107,7 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/pkg-config mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 3db817006..9e6db414e 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 80e64558a..7ebb3b629 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,6 +30,7 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/profiles-a-f/alc b/apparmor.d/profiles-a-f/alc new file mode 100644 index 000000000..232f83860 --- /dev/null +++ b/apparmor.d/profiles-a-f/alc @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alc +profile alc @{exec_path} { + include + include + include + + @{exec_path} mr, + @{user_torrents_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alcc b/apparmor.d/profiles-a-f/alcc new file mode 100644 index 000000000..c1e7d0602 --- /dev/null +++ b/apparmor.d/profiles-a-f/alcc @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alcc +profile alcc @{exec_path} { + include + include + + @{exec_path} mr, + @{user_torrents_dirs}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index bde626660..b2b97a62a 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,9 @@ profile alsactl @{exec_path} { @{run}/lock/card@{int}.lock rwk, owner @{run}/alsa/{,**} rw, + @{sys}/devices/@{pci}/subsystem_device r, + @{sys}/devices/@{pci}/subsystem_vendor r, + include if exists } diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index ea2842a74..85989a7bf 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule new file mode 100644 index 000000000..b54e62022 --- /dev/null +++ b/apparmor.d/profiles-a-f/amule @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/amule +profile amule @{exec_path} { + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + + # Previewing files isn't allowed + # because aMule opens viewers directly instead of via `xdg-open`. + # If aMule uses `xdg-open` in your time, + # uncomment the following line to allow previewing files. + # @{open_path} rPx -> child-open, + + @{exec_path} mr, + @{bin}/uname rPx, + @{sh_path} rix, + @{system_share_dirs}/amule/{,**} r, + owner @{HOME}/.aMule/{,**} rwk, + @{user_torrents_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 8893f1d70..3e7c9d092 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,7 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 4953ab293..2ad4791d7 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index 0bb417ae2..fb4f2cb85 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index a6d517b2a..75394f5de 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 82acd0d0f..bb4fe0739 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 6b6bad8d8..72ee1e9dc 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 6baddcf18..e260321e6 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 03836a9dc..64f25e181 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,6 @@ profile archivemount @{exec_path} { /dev/fuse rw, - profile fusermount { include include @@ -52,6 +51,7 @@ profile archivemount @{exec_path} { @{PROC}/@{pid}/mounts r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 47d784212..cfac12d42 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,7 @@ profile arduino @{exec_path} { @{bin}/chmod rix, @{bin}/avrdude rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rCx -> child-open, @{bin}/dpkg-architecture rPx, @{bin}/arduino-builder rPx, @@ -109,31 +109,6 @@ profile arduino @{exec_path} { # Silencer deny /usr/share/arduino/** w, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - @{bin}/spacefm rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 23f8628e5..2ef7e37fa 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,8 +39,6 @@ profile arduino-builder @{exec_path} { owner @{HOME}/Arduino/{,**} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /tmp/ r, owner @{tmp}/cc* rw, owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 0c3849643..d85a6f3a8 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index c5bd8d4f4..16b5b6f6d 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 078fa0139..769f15cf0 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -69,6 +69,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at index 2da487b9c..0c309ad72 100644 --- a/apparmor.d/profiles-a-f/at +++ b/apparmor.d/profiles-a-f/at @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index b1b54f0fa..f8d39c8f5 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index 02a0a018b..dc7f2bf36 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 947245d2a..99cb0fed6 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile atool @{exec_path} { include include include + include include @{exec_path} mr, @@ -38,6 +39,7 @@ profile atool @{exec_path} { @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, + @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -47,6 +49,9 @@ profile atool @{exec_path} { @{bin}/xz rix, @{bin}/zip rix, + /etc/atool.conf r, + owner @{HOME}/.atoolrc r, + include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 2163346cc..284c35911 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,13 +26,7 @@ profile atril @{exec_path} { network netlink raw, - dbus send bus=session path=/org/mate/atril/{,**} - peer=(name=org.freedesktop.DBus, label=atrild), # all interfaces and members - - dbus send bus=session path=/org/mate/atril/Daemon - interface=org.mate.atril.Daemon - member={RegisterDocument,UnregisterDocument} - peer=(name=org.mate.atril.Daemon), # no peer's labels + #aa:dbus talk bus=session name=org.mate.atril.Daemon label=atrild @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index c44686d5a..f66f25936 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index daaee243f..d6881f3e7 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 4e93a5d22..92afa1d08 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,10 +27,10 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{run}/systemd/journal/dev-log w, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, + @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 5f192e8cc..7a515c1ba 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index 48b4cc8af..e0f686b90 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab new file mode 100644 index 000000000..1f9f14dc1 --- /dev/null +++ b/apparmor.d/profiles-a-f/baobab @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/baobab +profile baobab @{exec_path} { + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + # As a directory tree analyzer it needs full access to the filesystem + / r, + /** r, + + deny /boot/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index caf8a50d2..8010b380a 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index b6314e942..c63a8de7c 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index f9db3e96f..ad575351f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index ad8134064..282081330 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/profiles-a-f/blockdev index 1b6cc77cb..88059a4c5 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 9ac1c2c2b..08a553c1d 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 152520fad..aae5d53cd 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index a8753ac8f..516f14bdd 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/profiles-a-f/bluemoon index 06f4040f8..88cb70621 100644 --- a/apparmor.d/profiles-a-f/bluemoon +++ b/apparmor.d/profiles-a-f/bluemoon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl index 603998f2c..01565b4ff 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 75934102b..ee7efdcfd 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -35,16 +35,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=:*, label=pulseaudio), - dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/* - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), - - dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile} - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index 77feb3210..d29d9fde7 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 47c16d1cd..b70b72088 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, @{run}/systemd/notify rw, - @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 107330419..15c6b71c9 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,6 +21,9 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, + @{exec_path} r, @{bin}/ r, @@ -107,6 +110,9 @@ profile borg @{exec_path} { /etc/fuse.conf r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + @{PROC}/@{pids}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop new file mode 100644 index 000000000..a0b57a38b --- /dev/null +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -0,0 +1,95 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/briar-desktop +profile briar-desktop @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + ptrace read peer=briar-desktop-tor, + ptrace read peer=@{profile_name}//jspawnhelper, + + @{exec_path} mr, + + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, + @{lib}/jvm/java*/lib/jspawnhelper Cx -> jspawnhelper, + @{sh_path} mr, + + @{system_share_dirs}/java/briar-desktop.jar r, + + /etc/java*/{,**} r, + + owner @{HOME}/.briar/desktop/{,**} rw, + owner @{HOME}/.briar/desktop/db/db.mv.db k, + + owner @{HOME}/.java/{,.userPrefs/{,org/}} w, + owner @{HOME}/.java/.userPrefs/.user.lock.@{user} wk, + owner @{HOME}/.java/.userPrefs/.userRootModFile.@{user} rw, + owner @{HOME}/.java/.userPrefs/{,org/}prefs.{xml,tmp} rw, + owner @{HOME}/.java/.userPrefs/org/briarproject/{,**} rw, + + owner @{HOME}/.skiko/ w, + owner @{HOME}/.skiko/@{hex64}/{,libskiko-*.so,skiko[0-9]*} mrw, + + owner @{user_pictures_dirs}/{,**} r, + + owner @{user_cache_dirs}/JNA/{,**} mrw, + + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{pid} rwk, + owner @{tmp}/imageio@{u64}.tmp rw, + owner @{tmp}/jna@{u64}.tmp mrw, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, + + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + /dev/urandom rw, + + deny @{HOME}/ r, + + include if exists + + profile jspawnhelper flags=(attach_disconnected) { + include + + @{bin}/ldconfig ix, + owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, + + @{system_share_dirs}/java/briar-desktop.jar r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + deny owner @{HOME}/.briar/desktop/db/db.mv.db rw, # file_inherit + deny network inet6 stream, # file_inherit + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor new file mode 100644 index 000000000..e78420e34 --- /dev/null +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile briar-desktop-tor { + include + + network inet stream, + network inet6 stream, + network netlink raw, + + signal send set=term peer=briar-desktop-tor//obfs4proxy, + signal send set=term peer=briar-desktop-tor//snowflake, + + owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, + owner @{HOME}/.briar/desktop/tor/.tor/lock k, + owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, + owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, + owner @{HOME}/.briar/desktop/tor/tor r, + owner @{HOME}/.briar/desktop/tor/torrc r, + + @{PROC}/sys/kernel/random/uuid r, + + include if exists + + profile obfs4proxy { + include + + network inet stream, + network inet6 stream, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w, + owner @{HOME}/.briar/desktop/tor/obfs4proxy mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } + + profile snowflake { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/snowflake mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index cfc5d3b0b..86da0e6a7 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,8 +25,6 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/mountinfo r, # Inherit Silencer diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index b6c3556ec..bab483dde 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index 45e50da9c..cdf5eb0df 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,9 +24,15 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, / r, - /boot/ r, - /home/ r, /.snapshots/ r, + /boot/ r, + /boot/**/ r, + /home/ r, + /opt/ r, + /root/ r, + /srv/ r, + /usr/local/ r, + /var/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -44,10 +50,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, - - @{sys}/fs/btrfs/@{uuid}/exclusive_operation r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r, + + @{sys}/fs/btrfs/@{uuid}/** r, @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert index 8b443cf6e..2dccbf1fd 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 03c2d47bd..eef4b6823 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index c1508bb09..6f18ac095 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index 12d2b09d6..f871bc946 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super index f083363cf..0019aa906 100644 --- a/apparmor.d/profiles-a-f/btrfs-select-super +++ b/apparmor.d/profiles-a-f/btrfs-select-super @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index cd8f7adfe..f8fa4a047 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/profiles-a-f/calibre similarity index 63% rename from apparmor.d/groups/apps/calibre rename to apparmor.d/profiles-a-f/calibre index f1b3e9050..6d71ed28d 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -3,27 +3,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} -@{exec_path} += @{bin}/calibredb -@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert} +@{exec_path} = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*} @{exec_path} += @{bin}/fetch-ebook-metadata -@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer -@{exec_path} += @{bin}/web2disk +@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include include include include include - include + include + include include include include include + include include include include @@ -45,20 +44,19 @@ profile calibre @{exec_path} { unix (bind) type=stream addr="@calibre-*", @{exec_path} mrix, - @{bin}/python3.@{int} r, - @{bin}/ldconfig{,.real} rix, @{sh_path} rix, + @{python_path} rix, @{bin}/file rix, + @{bin}/ldconfig{,.real} rix, @{bin}/uname rix, - @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @{bin}/pdfinfo rPUx, @{bin}/pdftohtml rPUx, - @{bin}/xdg-open rPx -> child-open, - @{bin}/xdg-mime rPx, + @{open_path} rPx -> child-open, /usr/share/calibre/{,**} r, @@ -79,16 +77,11 @@ profile calibre @{exec_path} { owner @{user_config_dirs}/calibre/** rwk, owner @{user_share_dirs}/calibre-ebook.com/ rw, - owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw, - owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk, + owner @{user_share_dirs}/calibre-ebook.com/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{user_cache_dirs}/gstreamer-@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, owner @{tmp}/calibre-*/{,**} rw, owner @{tmp}/@{int}-*/ rw, @@ -98,22 +91,22 @@ profile calibre @{exec_path} { @{sys}/devices/@{pci}/irq r, - @{PROC}/ r, - @{PROC}/@{pids}/net/route r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/ r, + @{PROC}/@{pids}/net/route r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/stat{,m} r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/status r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/cas b/apparmor.d/profiles-a-f/cas new file mode 100644 index 000000000..d843801ba --- /dev/null +++ b/apparmor.d/profiles-a-f/cas @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cas +profile cas @{exec_path} { + include + include + + @{exec_path} mr, + + @{system_share_dirs}/cas/{,**} r, + + owner @{HOME}/.aMule/aMule-online-sign.html w, + owner @{HOME}/.aMule/amulesig.dat r, + owner @{HOME}/.aMule/casrc rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index ee3bab550..0d8c6a000 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,8 +31,12 @@ profile cawbird @{exec_path} { @{sh_path} rix, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, + @{open_path} rPx -> child-open, + + /usr/share/xml/iso-codes/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, @@ -40,36 +44,8 @@ profile cawbird @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/cawbird-* rw, - /usr/share/xml/iso-codes/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{PROC}/@{pid}/fd/ r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index bc12ec50b..d8128da74 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -1,7 +1,8 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 3795d9836..40c5199b3 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index e51310b63..338f71a78 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu new file mode 100644 index 000000000..1201f2476 --- /dev/null +++ b/apparmor.d/profiles-a-f/cemu @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cemu +profile cemu @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/Cemu/{,**} r, + + owner @{user_cache_dirs}/Cemu/{,**} rw, + owner @{user_config_dirs}/Cemu/{,**} rw, + owner @{user_share_dirs}/Cemu/{,**} rw, + + @{sys}/class/ r, + @{sys}/class/input/ r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/statm r, + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index e2770bda1..fa70c395f 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 7559b5c84..9cacb9324 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index f19e70c26..0f91c1e85 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 6c51eead1..08b1d83b5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index 3eaa0efb9..a89e204a8 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index 9dd650d51..c73243041 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,6 +33,7 @@ profile changestool @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 877677bca..775e3f640 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index bdd9719d3..313fa6c54 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -65,7 +65,6 @@ profile check-support-status @{exec_path} { /usr/share/debian-security-support/ r, /usr/share/debian-security-support/* r, - profile debconf-escape { include include @@ -75,6 +74,7 @@ profile check-support-status @{exec_path} { owner @{tmp}/debian-security-support.postinst.*/output r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index e0c312423..5eb0eda0f 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,6 +58,7 @@ profile check-support-status-hook @{exec_path} { /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, + include if exists } profile frontend { @@ -90,6 +91,7 @@ profile check-support-status-hook @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, + include if exists } profile runuser { @@ -124,6 +126,8 @@ profile check-support-status-hook @{exec_path} { /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output w, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/profiles-a-f/chfn index 162a08b84..7201d1a7a 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index 1fd84f53c..fb8438cc1 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/chpasswd diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 5aa5c5ed2..155d82f07 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -4,7 +4,7 @@ # Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd -abi , +abi , include @@ -12,6 +12,8 @@ include profile chronyd @{exec_path} flags=(attach_disconnected) { include include + include + include capability chown, capability dac_override, @@ -27,12 +29,15 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, @{exec_path} mr, /etc/adjtime r, - /etc/chrony.* r, + /etc/chrony.conf r, + /etc/chrony.keys r, /etc/chrony.d/{,*} r, /etc/chrony/{,**} r, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index ffcdb5bdf..61885ed4e 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 4de4543a4..7c5486c50 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -66,6 +66,7 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index b667d81f0..c3916890f 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,3 +29,5 @@ profile cmus @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code deleted file mode 100644 index 393598746..000000000 --- a/apparmor.d/profiles-a-f/code +++ /dev/null @@ -1,105 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} - -@{exec_path} = @{lib}/electron@{int}/electron -profile code flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal (send), - - @{exec_path} mrix, - - @{lib}/code/node_modules.asar.unpacked/**.node rm, - - # Core tools - @{bin}/git rPx, - @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/rg rix, - @{open_path} rPx -> child-open, - - # The shell is not confined on purpose. - @{bin}/@{shells} rUx, - - # Confine some common tools - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - - # Do NOT confine most of the extensions - @{bin}/[a-z0-9]* rPUx, - @{code_config_dirs}/extensions/** rPUx, - @{HOME}/.go/bin/* rPUx, - @{lib}/go/bin/* rPUx, - @{bin}/python3.@{int} rUx, - - /etc/shells r, - /etc/lsb-release r, - - owner @{HOME}/@{XDG_SSH_DIR}/config r, - - owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**, - - owner @{user_projects_dirs}/ r, - owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - - owner @{tmp}/@{uuid} rw, - owner @{tmp}/vscode-*/{,**} rw, - owner @{tmp}/vscode-ipc-@{uuid}.sock rw, - - owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, - owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw, - - @{run}/systemd/inhibit/*.ref rw, - - @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/loadavg r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 6954ca966..5a31889b9 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor index 104e01281..8e56ac3aa 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ b/apparmor.d/profiles-a-f/code-extension-git-editor @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper deleted file mode 100644 index 707164b09..000000000 --- a/apparmor.d/profiles-a-f/code-wrapper +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/code{,-oss} -profile code-wrapper @{exec_path} { - include - include - - @{exec_path} r, - - @{sh_path} rix, - @{lib}/electron@{int}/electron rPx -> code, - - owner @{user_config_dirs}/code-flags.conf r, - owner @{user_config_dirs}/electron@{int}-flags.conf r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index b27228807..a6c7d193f 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 1e1b10abc..3c059abcf 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -200,6 +200,7 @@ profile conky @{exec_path} { deny @{PROC}/@{pid}/net/route r, deny @{sys}/devices/**/hwmon/**/temp*_input r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d7b41ff20..d3aaddf7f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 28a393470..8c38f85a3 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -3,42 +3,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py profile convertall @{exec_path} { include - include - include - include + include include - include - include - include - include - include - include + include include + include + include @{exec_path} r, @{sh_path} rix, @{bin}/python3.@{int} rix, - owner @{HOME}/.convertall rw, - - deny owner @{PROC}/@{pid}/cmdline r, - /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, - /usr/share/hwdata/pnp.ids r, - /var/lib/dbus/machine-id r, /etc/machine-id r, + owner @{HOME}/.convertall rw, + + deny owner @{PROC}/@{pid}/cmdline r, + include if exists } diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index 9e0aa0ad1..a5b7d8302 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 8df6f750e..c374d4685 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index d29bfbbee..cc183f527 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 96fb4c706..50d34bad4 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh index 5945ac6ea..e2dbc1b51 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth index ba606c7ef..ada4926ce 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf index 2ea66ba05..27e98efc3 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd index 0bb1a34d1..f45b99216 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp index f82ce7e0a..636121553 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/profiles-a-f/cups-backend-hp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass index 6a50ec237..ba85c62fa 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp index 706e1a5ae..b473ecaa3 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd index 077a913a0..af2901be0 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns index a520e9a19..0b9cce0da 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/profiles-a-f/cups-backend-mdns @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel index fe2e752ef..a985e5042 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf index efbb2a85d..7782ecb11 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile cups-backend-pdf @{exec_path} { unix peer=(label=cupsd), @{exec_path} mr, - + @{sh_path} rix, @{bin}/cp rix, @{bin}/gs rix, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial index e2ec19bce..3959a091d 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index 1532db04b..5badd529a 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile cups-backend-snmp @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/cups/snmp.conf r, /etc/papersize r, diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket index 338d2e2e6..3efcf183b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index e647939f4..fa21e0204 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index 2abffbe16..41d22ed9b 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,6 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, /usr/share/cups/locale/{,**} r, - /usr/share/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 9632ca91d..3f9b15dcc 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, @{exec_path} mr, - + owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto index aad9f73c3..e69afb072 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-mailto +++ b/apparmor.d/profiles-a-f/cups-notifier-mailto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss index 86dfecc9e..993392912 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-rss +++ b/apparmor.d/profiles-a-f/cups-notifier-rss @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 7c67e3e6a..89d55c2f1 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 9511c7495..ac9984746 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -2,6 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/cupsd diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index 6ad4c553b..ddbc8b59b 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index 68a30c769..d7bb93f41 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, # Dirs to scan for duplicates #owner @{HOME}/** rw, @@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} { @{sys}/fs/cgroup/{,**} r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - #@{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 000e61013..c16629d6d 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index ee12dcd5d..c752dcbb8 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index eaf12a933..4f60099a9 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{DCD_LIBDIR} = @{lib}/deltachat-desktop -@{DCD_LIBDIR} += @{lib}/deltachat -@{DCD_LIBDIR} += /opt/DeltaChat/ +@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ -@{exec_path} = /usr/bin/deltachat-desktop -@{exec_path} += /opt/DeltaChat/deltachat-desktop -#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop +@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include include @@ -35,15 +31,18 @@ profile deltachat-desktop @{exec_path} { @{exec_path} mrix, - @{DCD_LIBDIR}/ r, - @{DCD_LIBDIR}/** r, - @{DCD_LIBDIR}/libffmpeg.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, - @{DCD_LIBDIR}/chrome-sandbox rPx, + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, + @{lib_dirs}/{swiftshader/,}libEGL.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open-browsers, owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, @@ -53,58 +52,24 @@ profile deltachat-desktop @{exec_path} { owner @{tmp}/@{hex}/db.sqlite rwk, owner @{tmp}/@{hex}/db.sqlite-journal rw, - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pids}/oom_{,score_}adj r, - deny owner @{PROC}/@{pids}/oom_{,score_}adj w, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, - /dev/ r, + /dev/ r, # (#FIXME#) deny @{sys}/bus/pci/devices/ r, - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - # no new privs - @{bin}/xdg-settings rPx, - - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 67e52b376..1f2e86579 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,24 +14,18 @@ profile deluser @{exec_path} { include include - # The deluser command is issued as root and its task is to delete regular user accounts. It - # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup. - # Because of that, the deluser command needs the following CAPs to be able to do so. capability dac_read_search, capability dac_override, @{exec_path} r, @{bin}/perl r, - @{sh_path} rix, - - @{bin}/userdel rPx, + @{sh_path} rix, + @{bin}/crontab rPx, + @{bin}/gpasswd rPx, @{bin}/groupdel rPx, - @{bin}/gpasswd rPx, - - @{bin}/crontab rPx, - - @{bin}/mount rCx -> mount, + @{bin}/mount rCx -> mount, + @{bin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, @@ -45,7 +39,6 @@ profile deluser @{exec_path} { / r, /** rw, - profile mount { include @@ -55,6 +48,7 @@ profile deluser @{exec_path} { @{sys}/devices/virtual/block/**/name r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index 18b3687e1..1a823e4db 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index b4ccf6743..d23028a47 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index 20e45b87f..30d68f6e5 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 4261a8be7..b650498cf 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -77,6 +77,7 @@ profile dhclient-script @{exec_path} { # file_inherit owner /var/lib/dhcp/dhclient.leases r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 87b80e3da..3e95a05dd 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino new file mode 100644 index 000000000..e2ee5e9b2 --- /dev/null +++ b/apparmor.d/profiles-a-f/dino @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dino{,-im} +profile dino @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Not in a subprofile because of no new privs + @{bin}/gpg{,2} rix, + @{bin}/gpgconf rix, + @{bin}/gpgsm rix, + @{lib}/gnupg/keyboxd rix, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_share_dirs}/dino/ rw, + owner @{user_share_dirs}/dino/** rwk, + + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im deleted file mode 100644 index 07fba44a5..000000000 --- a/apparmor.d/profiles-a-f/dino-im +++ /dev/null @@ -1,53 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dino-im -profile dino-im @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - # Needed for GPG/PGP support - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, - - owner @{user_share_dirs}/dino/ rw, - owner @{user_share_dirs}/dino/** rwk, - - owner @{PROC}/@{pid}/fd/ r, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/profiles-a-f/discord similarity index 69% rename from apparmor.d/groups/apps/discord rename to apparmor.d/profiles-a-f/discord index 3c70844c1..74d1ce740 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/profiles-a-f/discord @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,6 +16,9 @@ include profile discord @{exec_path} { include include + include + include + include include include include @@ -28,23 +31,29 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/lsb_release rPx -> lsb_release, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, - @{open_path} rPx -> child-open-browsers, + @{open_path} rPx -> child-open-strict, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + /etc/lsb-release r, + + owner @{user_videos_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + + owner @{config_dirs}/@{version}/modules/** m, - owner @{tmp}/net-export/ rw, - owner @{tmp}/discord.sock rw, owner "@{tmp}/Discord Crashes/" rw, - - owner @{config_dirs}/*/modules/** rm, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + owner @{tmp}/discord.sock rw, + owner @{tmp}/net-export/ rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + include if exists } diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox similarity index 98% rename from apparmor.d/groups/apps/discord-chrome-sandbox rename to apparmor.d/profiles-a-f/discord-chrome-sandbox index d30a2a57f..4cfefd651 100644 --- a/apparmor.d/groups/apps/discord-chrome-sandbox +++ b/apparmor.d/profiles-a-f/discord-chrome-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 6d836c63d..5e8a3ea0c 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,6 +27,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, @{bin}/as rix, + @{bin}/bc rix, @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kmod rCx -> kmod, @@ -41,7 +42,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/update-secureboot-policy rPUx, @{bin}/zstd rix, - @{lib}/gcc/@{multiarch}/@{int}*/* rix, + @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index f266791a1..00f1d8117 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service index d56098048..139dfaeaf 100644 --- a/apparmor.d/profiles-a-f/dleyna-renderer-service +++ b/apparmor.d/profiles-a-f/dleyna-renderer-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index f41d250f6..552abeadc 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index e17a72c84..9f78af639 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,7 +49,6 @@ profile dlocate @{exec_path} { / r, - profile md5sum { include @@ -59,6 +58,7 @@ profile dlocate @{exec_path} { /boot/** r, /usr/** r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 2fa3fc6a9..7d5b8062a 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 6dcd5cbb8..68fa13298 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,13 +18,11 @@ profile dmesg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, - owner @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 2d904eec0..0484cf99d 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index 061bc40ac..aba455535 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup new file mode 100644 index 000000000..d532bb8cf --- /dev/null +++ b/apparmor.d/profiles-a-f/dmsetup @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dmsetup +profile dmsetup @{exec_path} { + include + include + + capability sys_admin, + + @{exec_path} mr, + + @{PROC}/devices r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 03d47e395..08dad1bd2 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -52,8 +52,6 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 05b4085b3..bb54ca251 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index 8d0045030..32a914268 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/profiles-a-f/dropbox similarity index 91% rename from apparmor.d/groups/apps/dropbox rename to apparmor.d/profiles-a-f/dropbox index ddb62bf60..065fe92c5 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,9 @@ include @{exec_path} = @{bin}/dropbox profile dropbox @{exec_path} { include + include + include + include include include include @@ -35,7 +38,7 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/xdg-open rCx -> child-open, + @{open_path} rPx -> child-open-strict, @{bin}/lsb_release rPx -> lsb_release, owner @{HOME}/ r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index e03ad1742..634aebd02 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 725f725c5..eb3d4d61a 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index 220652247..e73e3370c 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 42276c6c6..45ec6886c 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,13 @@ profile dunstctl @{exec_path} { @{exec_path} mr, - @{bin}/dbus-send rCx -> dbus, + @{bin}/dbus-send Cx -> bus, - profile dbus { + profile bus { include + include - @{bin}/dbus-send mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index 42a8be4ad..c62e87f66 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 8ce1ed3c7..be5d26b9f 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -3,13 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 profile e2fsck @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index ccb4cc5a4..b099f1ccf 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index de648cac2..25fab12c7 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/earlyoom b/apparmor.d/profiles-a-f/earlyoom new file mode 100644 index 000000000..01484cdc6 --- /dev/null +++ b/apparmor.d/profiles-a-f/earlyoom @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/earlyoom +profile earlyoom @{exec_path} { + include + + capability kill, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/oom_adj r, + @{PROC}/@{pid}/oom_score r, + @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ed2k b/apparmor.d/profiles-a-f/ed2k new file mode 100644 index 000000000..f92e3b74d --- /dev/null +++ b/apparmor.d/profiles-a-f/ed2k @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ed2k +profile ed2k @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{HOME}/.aMule/ED2KLinks w, + owner @{HOME}/.aMule/ED2KLinks_lock wk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 8925e5e2d..f15d6db6c 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/profiles-a-f/eject index bd467c2be..84168322a 100644 --- a/apparmor.d/profiles-a-f/eject +++ b/apparmor.d/profiles-a-f/eject @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 1dd15b4b9..e4a9bef28 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/element-desktop -profile element-desktop @{exec_path} { +profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include @@ -31,7 +31,10 @@ profile element-desktop @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{open_path} rPx -> child-open-strict, + @{open_path} rPx -> child-open-strict, + + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks index 1909ab896..f833c303d 100644 --- a/apparmor.d/profiles-a-f/elinks +++ b/apparmor.d/profiles-a-f/elinks @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 78fa87937..c302ff400 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -75,8 +75,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, - /tmp/ r, - owner @{tmp}/** rw, + /tmp/ r, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 6f10293c7..023d13b47 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -73,6 +73,7 @@ profile etckeeper @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 73d73eb02..2638ad0e3 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,11 +31,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={Set,GetTreeFromDevice} - peer=(name=:*, label=gvfsd-metadata), + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 7a2b939a6..1597c35af 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index d4e63c924..95fdba512 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 9f03de7fc..41d2324f6 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 10edc6164..0decde05c 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,6 +46,7 @@ profile execute-dput @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index 23aac34d4..fecb1af22 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile exiftool @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 3dae4cae6..98364f0f1 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index 990c67b85..3e1f92742 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index af38a5fa3..b9d7652ee 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index 7d265e566..2c5e86e30 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile exo-open @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, + @{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx, # It looks like gio-launch-desktop decides what app should be opened - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index 8572f369c..312512010 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index a5d327e72..4d743fbb7 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index c7843c91f..d935075eb 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index a25e7e0cc..93058cfa9 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 25282dff8..25c56778d 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 23fd61125..7fae1218c 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2706c8e43..e858c2d8e 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index df95d83c0..c7ac0d399 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index b94e0e49c..e299a109b 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 815e3bc76..e6a7aeebf 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -3,21 +3,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fdisk profile fdisk @{exec_path} { include + include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) capability sys_admin, - - # To remove the following errors: - # kernel: device-mapper: core: fdisk: sending ioctl 5331 to DM device without required privilege. capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 864becf32..6e47ec8cb 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer index 5c0d7e2f8..acc33199c 100644 --- a/apparmor.d/profiles-a-f/ffmpegthumbnailer +++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ffmpegthumbnailer profile ffmpegthumbnailer @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 0615d1042..6d3e1972d 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index f5448d7ef..793361489 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e82f0d372..0c5a18e83 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -2,27 +2,28 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include + include include - include - include - include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller @{exec_path} mr, + @{open_path} rPx -> child-open-help, + + @{bin}/mv rix, + @{bin}/rm rix, + # Archivers @{bin}/7z rix, @{bin}/7zz rix, @@ -38,6 +39,11 @@ profile file-roller @{exec_path} { @{bin}/zstd rix, @{lib}/p7zip/7z rix, + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, + owner @{tmp}/** rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/profiles-a-f/filecap index afad4070c..6729ebb91 100644 --- a/apparmor.d/profiles-a-f/filecap +++ b/apparmor.d/profiles-a-f/filecap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fileview b/apparmor.d/profiles-a-f/fileview new file mode 100644 index 000000000..9237f2a98 --- /dev/null +++ b/apparmor.d/profiles-a-f/fileview @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/fileview +profile fileview @{exec_path} { + include + include + + @{exec_path} mr, + + # This program parses aMule internal data files like "server.met". + # The paths to these files are given as arguments. + # The following directories are those that users likely want to read. + # However, this program is usable without the permissions below. + owner @{HOME}/.aMule/{,**} r, + @{user_torrents_dirs}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/profiles-a-f/filezilla similarity index 70% rename from apparmor.d/groups/apps/filezilla rename to apparmor.d/profiles-a-f/filezilla index 29654c955..be734ed50 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -3,21 +3,32 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include - include - include + include + include + include + include + include include - include - include + include + include + include include - signal (send) set=(term, kill) peer=fzsftp, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + signal send set=(term, kill) peer=fzsftp, @{exec_path} mr, @@ -46,15 +57,16 @@ profile filezilla @{exec_path} { owner @{user_cache_dirs}/filezilla/ rw, owner @{user_cache_dirs}/filezilla/default_*.png rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - /tmp/ r, owner @{tmp}/fz[0-9]temp-@{int}/ rw, owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 7fb7c9e1b..bcffc5b89 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index c470d068a..a3aba8af1 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/profiles-a-f/firewall-applet new file mode 100644 index 000000000..17fca1462 --- /dev/null +++ b/apparmor.d/profiles-a-f/firewall-applet @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/firewall-applet +profile firewall-applet @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/python3.@{int} r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/profiles-a-f/firewall-config new file mode 100644 index 000000000..760a75200 --- /dev/null +++ b/apparmor.d/profiles-a-f/firewall-config @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/firewall-config +profile firewall-config @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + /usr/share/firewalld/__pycache__/ rw, + + /usr/share/firewalld/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index d32790f0b..142b25cde 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -44,9 +44,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /usr/local/lib/python3.@{int}/dist-packages/ r, - /usr/share/libalternatives/ r, - /usr/share/libalternatives/ebtables*/{,*} r, - /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, + /usr/share/iproute2/{,**} r, + /usr/share/libalternatives/{,**} r, /etc/firewalld/{,**} rw, /etc/iproute2/group r, diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot index 877e42912..f0d042ba8 100644 --- a/apparmor.d/profiles-a-f/flameshot +++ b/apparmor.d/profiles-a-f/flameshot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 8722612d1..96d78b800 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include - # userns, + userns, capability dac_override, capability dac_read_search, @@ -35,6 +35,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain ptrace (read) peer=flatpak-app, + signal send peer=flatpak-app, + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -60,6 +62,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{user_documents_dirs}/ rw, + owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, @@ -93,7 +97,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 83be5477c..d91b9ac53 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -18,7 +18,7 @@ # This this only defence in depth. # 3. The main purpose of this profile is to ensure all processes are confined. -abi , +abi , include @@ -44,8 +44,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { ptrace (read), ptrace trace peer=flatpak-app, - signal (receive) set=(int term) peer=flatpak-portal, - signal (receive) set=(int) peer=flatpak-session-helper, + signal receive peer=flatpak, + signal receive set=(int term) peer=flatpak-portal, + signal receive set=(int) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -56,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @{run}/parent/app/** rmix, @@ -89,8 +91,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, - owner @{run}/user/@{uid}/*.kioworker.socket r, - owner @{run}/user/@{uid}/#@{int} rwl, + owner @{run}/user/ r, include if exists include if exists diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator index 9b379b55d..be6c7b320 100644 --- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 570a3ea8c..8a8d2b901 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,8 +31,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - / r, - /.flatpak-info r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index d27d0c24a..7144a237a 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,14 +10,14 @@ include profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include include + include include include include - include - signal (send) set=(hup int) peer=user_unconfined, - signal (send) set=(int) peer=@{p_systemd}, - signal (send) set=(int) peer=flatpak-app, + signal send set=(hup int) peer=user_unconfined, + signal send set=(int) peer=@{p_systemd}, + signal send set=(int) peer=flatpak-app, #aa:dbus own bus=session name=org.freedesktop.Flatpak @@ -27,16 +27,20 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-monitor rPUx, @{bin}/env rix, @{bin}/flatpak rPx, - @{bin}/test rix, @{bin}/getent rix, @{bin}/p11-kit rix, - @{bin}/pkexec rPx, # TODO: too wide, rCx. + @{bin}/pkexec rCx -> pkexec, + @{bin}/printenv rix, @{bin}/ps rPx, + @{bin}/test rix, + @{bin}/touch rix, @{lib}/p11-kit/p11-kit-remote rix, @{lib}/p11-kit/p11-kit-server rix, /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, /var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app, + owner @{user_config_dirs}/mimeapps.list w, + owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, @@ -44,6 +48,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index a2141b111..2268de064 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon index 7669bb1e6..41701a5ff 100644 --- a/apparmor.d/profiles-a-f/flatpak-validate-icon +++ b/apparmor.d/profiles-a-f/flatpak-validate-icon @@ -2,7 +2,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index 8498285d1..422652084 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,11 +24,15 @@ profile foliate @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=com.github.johnfactotum.Foliate + @{exec_path} mr, @{bin}/bwrap rix, @{bin}/gjs-console rix, @{bin}/xdg-dbus-proxy rix, + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -36,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { /usr/share/com.github.johnfactotum.Foliate/{,**} r, owner /bindfile@{rand6} rw, - owner /.flatpak-info r, + owner @{att}/.flatpak-info r, owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, @@ -62,7 +66,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 6d7096ad7..81c53aafd 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index 5d30e4522..ee6213cb5 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index d856867a3..b3034dfef 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,8 +27,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /var/lib/fprint/{,**} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/journal/socket rw, - @{run}/systemd/inhibit/*.ref w, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c7df958f7..637cc0970 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,21 +23,17 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ r, diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 0499beb0a..7af1ef8c9 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -2,7 +2,7 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/profiles-a-f/freetube similarity index 62% rename from apparmor.d/groups/apps/freetube rename to apparmor.d/profiles-a-f/freetube index d59762cfd..333c9f368 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -3,22 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = {F,f}reetube{,-vue} +@{name} = {F,f}ree{T,t}ube{,-vue} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{lib_dirs}/@{name} -profile freetube @{exec_path} { +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile freetube @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include - include include network inet dgram, @@ -27,17 +29,14 @@ profile freetube @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, @{open_path} rPx -> child-open-strict, - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{run}/user/@{uid}/ r, - - owner /dev/tty@{int} rw, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> freetube//&xdg-settings, include if exists } diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 3e3dde2e9..18b990bbc 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index eb90c18d6..ac8a6a5a8 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -121,6 +121,7 @@ profile frontend @{exec_path} flags=(complain) { /tmp/ r, owner @{tmp}/** rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index d04b32e96..5d0588026 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs index 470b5a3d3..f8ac9419d 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/profiles-a-f/fsck.btrfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat index c188574ee..fd944532f 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/profiles-a-f/fsck.fat @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/profiles-a-f/fstrim new file mode 100644 index 000000000..a55337659 --- /dev/null +++ b/apparmor.d/profiles-a-f/fstrim @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/fstrim +profile fstrim @{exec_path} { + include + include + + capability dac_override, + capability sys_admin, + + @{exec_path} mr, + + /etc/fstab r, + + @{HOMEDIRS}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + / r, + /boot/ r, + /boot/efi/ r, + /var/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 643371c60..da61184a3 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index e4d6cfd99..ed2bcc936 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,6 +58,7 @@ profile fuseiso @{exec_path} { /dev/fuse rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 4695c2d3b..2bad1d773 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 474ab630b..b6ef68b0a 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd -profile fwupd @{exec_path} flags=(complain,attach_disconnected) { +profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include @@ -31,6 +31,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { capability sys_rawio, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ @@ -54,6 +58,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, + /usr/share/hwdata/*.ids r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, @@ -83,22 +88,28 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/bus/hid/drivers/*/uevent r, + @{sys}/bus/usb/drivers/usbhid/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, - @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/kernel/security/lockdown r, - @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, + @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, + @{sys}/module/*/uevent r, + @{sys}/module/uhid/uevent r, + @{sys}/module/usbhid/uevent r, @{sys}/power/mem_sleep r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/data/* r, @{PROC}/@{pids}/fd/ r, @@ -126,7 +137,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/tpmrm@{int} rw, /dev/wmi/* r, - profile gpg flags=(complain) { + profile gpg flags=(attach_disconnected,complain) { include include diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6064c0ff1..4d53fdf57 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -3,22 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fwupdmgr -profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected) { include include include include + include include include capability sys_nice, - signal (send), + signal send, network inet stream, network inet6 stream, @@ -30,19 +31,16 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/pkttyagent rPx, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{bin}/dbus-launch Cx -> bus, + @{bin}/pkttyagent Px, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{user_cache_dirs}/ rw, @{user_cache_dirs}/dconf/user rw, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, @@ -52,16 +50,12 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { /dev/i2c-@{int} rw, /dev/tty rw, + /dev/pts/@{int} rw, - profile dbus { + profile bus flags=(attach_disconnected) { include - include - - @{bin}/dbus-launch mr, - - owner @{HOME}/.Xauthority r, - - include if exists + include + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 5888743ef..1de493892 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -100,15 +100,16 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - owner @{tmp}/cc* rw, - owner @{tmp}/tmp* rw, + /etc/debian_version r, /media/ccache/*/** rw, + owner @{tmp}/cc* rw, + owner @{tmp}/tmp* rw, + owner @{run}/user/@{uid}/ccache-tmp/ rw, - /etc/debian_version r, - + include if exists } profile gpg { @@ -121,8 +122,8 @@ profile gajim @{exec_path} { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -134,6 +135,7 @@ profile gajim @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded new file mode 100644 index 000000000..8f5067b77 --- /dev/null +++ b/apparmor.d/profiles-g-l/gamemoded @@ -0,0 +1,81 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gamemoded +profile gamemoded @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/pkexec Cx -> pkexec, + @{lib}/gamemode/gpuclockctl Cx -> pkexec, + + /etc/gamemode.ini r, + + owner @{user_config_dirs}/ r, + + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/@{pci}/power_dpm_force_performance_level r, + @{sys}/devices/system/cpu/{,**} r, + @{sys}/devices/virtual/powercap/{,**} r, + + @{PROC}/sys/kernel/split_lock_mitigate r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/task/ r, + + profile pkexec flags=(attach_disconnected) { + include + include + include + + capability audit_write, + capability mknod, + capability setgid, + capability sys_ptrace, + + ptrace read peer=gamemoded, + + network netlink raw, + + @{bin}/pkexec mr, + + @{lib}/gamemode/{,**} r, + @{lib}/gamemode/cpugovctl ix, + @{lib}/gamemode/gpuclockctl ix, + @{lib}/gamemode/procsysctl ix, + + /etc/security/limits.d/ r, + /etc/security/limits.d/@{int}-gamemode.conf r, + /etc/shells r, + + @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu@{int}/cpufreq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/split_lock_mitigate rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 7db7a5cb8..e9f4d4e30 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 5dffe8a0c..7ceee1022 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 8c3662ba1..1357b03b6 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index a01425bb9..b64c34a4b 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index 8fdffbf87..df6613042 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp new file mode 100644 index 000000000..a9be29bec --- /dev/null +++ b/apparmor.d/profiles-g-l/gimp @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gimp{,-*} +profile gimp @{exec_path} { + include + include + include + include + include + include + include + + signal (send) set=(term, kill) peer=xsane-gimp, + + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{lib}/gimp/*/plug-ins/** rix, + + @{bin}/xsane-gimp rPx, + @{open_path} rPx -> child-open-help, + + /usr/share/gimp/{,**} r, + /usr/share/mypaint-data/{,**} r, + /usr/share/xml/iso-codes/{,**} r, + + /etc/gimp/{,**} r, + + owner @{user_documents_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_work_dirs}/{,**} rw, + + owner @{user_cache_dirs}/babl/{,**} rw, + owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gimp/{,**} rw, + owner @{user_cache_dirs}/GIMP/{,**} rw, + + owner @{user_config_dirs}/gimp/{,**} rw, + owner @{user_config_dirs}/GIMP/{,**} rw, + + owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/GIMP/{,**} rw, + + owner @{tmp}/gimp/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index 3520ec06e..494fef0ab 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gio-querymodules profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index ba37f7bcc..71bace3c3 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) { # These are needed for "git submodule update" @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/alts rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/date rix, @@ -61,23 +62,20 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/wc rix, @{bin}/whoami rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/man rPx, @{bin}/meld rPUx, - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - /usr/share/aurpublish/*.hook rPx, + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, + /usr/share/aurpublish/*.hook rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/ssh rCx -> ssh, - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - + @{editor_path} rCx -> editor, + /usr/share/git{,-core}/{,**} r, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, /etc/gitconfig r, @@ -90,25 +88,20 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner @{tmp}/** rwkl -> /tmp/**, - owner @{tmp}/**/bin/* rCx -> exec, - owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner @{tmp}/git-difftool.*/ rw, # For diffs - owner @{tmp}/git-difftool.*/right/{,**} rw, - owner @{tmp}/git-difftool.*/left/{,**} rw, - owner @{tmp}/* rw, - owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator - owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/{,**} rw, # For diffs - deny @{user_share_dirs}/gvfs-metadata/* r, - deny /dev/shm/.org.chromium.Chromium* rw, deny owner @{code_config_dirs}/** rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/vulkan/** r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny /usr/share/nvidia/nvidia-application-profiles-* r, + deny /dev/shm/.org.chromium.Chromium.@{rand6} rw, profile gpg flags=(attach_disconnected) { include @@ -129,6 +122,7 @@ profile git @{exec_path} flags=(attach_disconnected) { profile ssh flags=(attach_disconnected) { include + include include network inet dgram, @@ -139,14 +133,15 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, - /etc/ssh/ssh_config.d/{,*} r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, + @{etc_ro}/ssh/ssh_config r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, - owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, @@ -167,11 +162,11 @@ profile git @{exec_path} flags=(attach_disconnected) { profile editor flags=(attach_disconnected) { include include - + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/@{int} rw, owner @{user_projects_dirs}/**/.git/*MSG rw, - + # The git repository files owner @{user_build_dirs}/ r, owner @{user_build_dirs}/** rw, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg new file mode 100644 index 000000000..ff5e12444 --- /dev/null +++ b/apparmor.d/profiles-g-l/gitg @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gitg +profile gitg @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/gitg/{,**} r, + + owner @{user_projects_dirs}/ rw, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + owner @{user_projects_dirs}/**/.git/hooks/* rix, + + owner @{user_config_dirs}/git/{,*} rw, + + owner @{user_share_dirs}/gitg/{,**} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index da5566f9f..e5cbf1959 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,7 @@ profile gitstatusd @{exec_path} { deny capability dac_read_search, deny capability dac_override, deny owner @{HOME}/.*-store/{,**} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index 45e787840..f52aa33d7 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 5463405f9..fcabd84c3 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index e3dfec88c..bf7c7c53a 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 566f58ee3..7f349b650 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 9ad458720..1e27790df 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 7defbaf80..eea7b6050 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 9ed18534e..8a9c42443 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index f225b5c06..dd7d3bff3 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index b60e386bb..6cc77b9bc 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -94,7 +94,7 @@ profile gpartedbin @{exec_path} { @{bin}/mount mr, - include if exists + include if exists } profile umount { diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 11c1e9767..8afdff8db 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index 956a1781f..34a9401a4 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 97c89a433..4088f51fb 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,9 +27,7 @@ profile gpo @{exec_path} { @{bin}/ r, @{sh_path} rix, @{bin}/uname rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/inputrc r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 10b8492e9..ec1adabe4 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index f8e2c73f4..11896a26c 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 4444662fc..8cc49acdf 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 4c6e80c59..9450974a1 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index a28fb72f7..99b7fddaa 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index a37273af6..4b9b0446a 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 4c0f07d87..916a73b22 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 3e42f90c7..5fad8960c 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index cd7ce37ce..4ac891769 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index ba7ba4da4..b0b743359 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index f6f6b300f..5d04e33fb 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -3,50 +3,38 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gsmartcontrol profile gsmartcontrol @{exec_path} { include - include - include - include - include + include include capability dac_read_search, - - # Needed? - deny capability sys_nice, + capability sys_nice, @{exec_path} mr, - @{bin}/smartctl rPx, - @{bin}/xterm rCx -> terminal, + @{bin}/dbus-launch Cx -> bus, + @{bin}/dbus-send Cx -> bus, + @{bin}/smartctl Px, + @{bin}/xterm Cx -> terminal, - # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Gsmartcontrol works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + /etc/fstab r, - owner @{user_config_dirs}/gsmartcontrol/ rw, - owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw, - - # As it's started as root - @{HOME}/.Xauthority r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, # For saving SMART raport owner /root/ r, owner /root/**.txt w, + owner @{user_config_dirs}/gsmartcontrol/ rw, + owner @{user_config_dirs}/gsmartcontrol/** rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -55,57 +43,37 @@ profile gsmartcontrol @{exec_path} { owner @{PROC}/scsi/scsi r, owner @{PROC}/scsi/sg/devices r, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # hence this behavior should be blocked. - deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, + deny @{open_path} rx, - - profile dbus { + profile bus flags=(complain) { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } profile terminal { include include + include include - include + include - capability setuid, - capability setgid, capability fsetid, + capability setgid, + capability setuid, @{bin}/xterm mr, - - /usr/sbin/update-smart-drivedb rPx, - - owner @{HOME}/.Xauthority r, - - /etc/shells r, - - /etc/X11/app-defaults/XTerm-color r, - /etc/X11/app-defaults/XTerm r, - /etc/X11/cursors/*.theme r, + @{bin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, /dev/ptmx rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 01b7d22e1..10c1f445b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,14 @@ profile gsmartcontrol-root @{exec_path} { @{bin}/which{,.debianutils} rix, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, + + profile pkexec { + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index 6a16d1dc7..8fa3da0d7 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e67def6d2..46aece91a 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 profile gtk-query-immodules @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index a91dc3069..b1a6779ae 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 96b114461..029e542ee 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -40,8 +40,7 @@ profile gtk-youtube-viewer @{exec_path} { @{lib}/firefox/firefox rPx, - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, owner @{user_config_dirs}/youtube-viewer/{,*} rw, @@ -91,30 +90,7 @@ profile gtk-youtube-viewer @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 9cadb774a..f91887297 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,7 @@ profile hardinfo @{exec_path} { include include include - include - include - include + include include include include @@ -49,7 +47,7 @@ profile hardinfo @{exec_path} { @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -62,8 +60,22 @@ profile hardinfo @{exec_path} { @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + /usr/share/gdb/python/ r, + /usr/share/gdb/python/** r, /usr/share/hardinfo/{,**} r, + /etc/fstab r, + /etc/exports r, + /etc/samba/smb.conf r, + + /etc/gdb/gdbinit.d/ r, + + /var/log/wtmp r, + + owner @{HOME}/.hardinfo/ rw, + + owner @{tmp}/#@{int} rw, + @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @@ -78,48 +90,27 @@ profile hardinfo @{exec_path} { @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, - @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/asound/cards r, + @{PROC}/bus/input/devices r, + @{PROC}/dma r, + @{PROC}/iomem r, + @{PROC}/ioports r, + @{PROC}/loadavg r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pids}/loginuid r, - @{PROC}/uptime r, - @{PROC}/loadavg r, - @{PROC}/ioports r, - @{PROC}/iomem r, - @{PROC}/dma r, - @{PROC}/asound/cards r, - @{PROC}/scsi/scsi r, - @{PROC}/bus/input/devices r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/@{pids}/net/route r, - /etc/fstab r, - /etc/exports r, - /etc/samba/smb.conf r, - - /etc/gdb/gdbinit.d/ r, - - /usr/share/gdb/python/ r, - /usr/share/gdb/python/** r, - - /var/log/wtmp r, - - owner @{HOME}/.hardinfo/ rw, - - owner @{tmp}/#@{int} rw, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # Silencer - deny /usr/share/gdb/python/** w, - - # file_inherit owner /dev/tty@{int} rw, + deny /usr/share/gdb/python/** w, profile ccache { include @@ -134,6 +125,7 @@ profile hardinfo @{exec_path} { /etc/debian_version r, + include if exists } profile javac { @@ -157,29 +149,7 @@ profile hardinfo @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } profile kmod { diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index ff3870880..910e9a2f0 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -3,9 +3,9 @@ # Copyright (C) 2011-2014 Jérémy Bobbio ; # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index 78c15672b..09b71b77f 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbr +@{exec_path} = @{bin}/hbbr profile hbbr @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 69ac0cc8c..4e7532724 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbs +@{exec_path} = @{bin}/hbbs profile hbbs @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index eb0319c5f..1bf4c02f8 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e0be907a6..e96a45237 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index f29bc1c20..606540bb9 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index aaa550dfc..064e850c2 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight index fb90c4475..bd375b520 100644 --- a/apparmor.d/profiles-g-l/highlight +++ b/apparmor.d/profiles-g-l/highlight @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank new file mode 100644 index 000000000..cb459919f --- /dev/null +++ b/apparmor.d/profiles-g-l/homebank @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homebank +profile homebank @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/homebank/{,**} r, + + owner @{user_config_dirs}/homebank/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 5894c85a0..cb9f8d2d9 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index efda5b4a8..326d156ef 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index d06991025..08b58ebd2 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -89,7 +89,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 731483cf6..95bc7037b 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fcb585020..6bb737ca0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -40,8 +40,6 @@ profile hugo @{exec_path} { owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 7c6b87b6c..7c960482a 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index f7953e346..e7bf2937c 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 3a9a6131d..be18726a0 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,8 +37,7 @@ profile hypnotix @{exec_path} { @{bin}/ldconfig rix, @{bin}/mkdir rix, - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver rPx, @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, @{lib}/firefox/firefox rPx, @@ -63,29 +62,6 @@ profile hypnotix @{exec_path} { # Silencer deny @{lib}/hypnotix/** w, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - } - include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index f045b489d..5ce4da0bb 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index d2fbdff2c..ea72704c1 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index fce4ff7d4..78c5081d6 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -67,6 +67,7 @@ profile i3lock-fancy @{exec_path} { # file_inherit owner /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 66111ff55..b3dbef04f 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 6ba6001b6..933e5d712 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 8dd7eaac0..5bebad691 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 4788daeb6..aac25b811 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -85,13 +85,14 @@ profile ifup @{exec_path} { /etc/network/if-up.d/ r, /etc/network/if-up.d/*resolvconf rPUx, - /etc/network/if-up.d/resolved rPUx, + /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/wpasupplicant rPUx, + include if exists } profile kmod { diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 5520e990c..c5c4aa276 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt index 41d77339b..5529ded9b 100644 --- a/apparmor.d/profiles-g-l/img2txt +++ b/apparmor.d/profiles-g-l/img2txt @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv similarity index 91% rename from apparmor.d/profiles-g-l/imv-wayland rename to apparmor.d/profiles-g-l/imv index 72eaecc9c..f75e4c957 100644 --- a/apparmor.d/profiles-g-l/imv-wayland +++ b/apparmor.d/profiles-g-l/imv @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile imv @{exec_path} { owner @{run}/user/@{uid}/imv-*.sock w, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index f17356fcc..272679ede 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index d36584ec9..1b27d1a4e 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,6 +48,7 @@ profile initd-kexec-load @{exec_path} { /etc/default/kexec.d/ r, + include if exists } profile systemctl { @@ -74,6 +75,7 @@ profile initd-kexec-load @{exec_path} { owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/* rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index f8f975211..a73ddb8bf 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 370cbf154..b1a56c41d 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 54e40386f..f155339b1 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index ddbf2e31c..8ea351857 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 0dbe03687..97bd3bfed 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 497e5cb1c..1ff3615f1 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index be2738443..c53b4656d 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 7fee79abc..1c870d94e 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index dd750b8c9..ff7f1c799 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 2226e6dd2..fec2d7c93 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 00600b72b..6c6d61c44 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,15 +13,20 @@ profile issue-generator @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mktemp rix, + @{bin}/mv rix, @{bin}/rm rix, @{bin}/sort rix, /etc/issue.d/{,**} r, + /etc/sysconfig/issue-generator r, + @{run}/agetty.reload w, @{run}/issue r, @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 3b62c32ba..8639b8aad 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 62bc16041..962b4ab23 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index ef2a280e0..298c94688 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus index ed1094a17..8326a3e40 100644 --- a/apparmor.d/profiles-g-l/jackdbus +++ b/apparmor.d/profiles-g-l/jackdbus @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index 9d22933fc..3a1e504a8 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader deleted file mode 100644 index 424074da4..000000000 --- a/apparmor.d/profiles-g-l/jdownloader +++ /dev/null @@ -1,128 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{JD_INSTALLDIR} = /home/*/jd2 - -@{exec_path} = @{JD_INSTALLDIR}/*JDownloader* -profile jdownloader @{exec_path} { - include - include - include - include - include - include - include - - @{exec_path} rix, - - @{bin}/basename rix, - @{bin}/dirname rix, - @{bin}/expr rix, - @{bin}/cut rix, - @{bin}/ls rix, - @{bin}/{,e}grep rix, - @{bin}/find rix, - @{bin}/sed rix, - @{bin}/chmod rix, - - @{bin}/ffmpeg rPx, - - # These are needed when the above tools are in some nonstandard locations - #@{bin}/which{,.debianutils} rix, - #/usr/ r, - #/usr/local/ r, - #@{bin}/ r, - #@{lib}/ r, - - deny /opt/ r, - - owner @{HOME}/ r, - owner @{JD_INSTALLDIR}/ rw, - owner @{JD_INSTALLDIR}/** rwk, - owner @{JD_INSTALLDIR}/jre/bin/java rix, - owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw, - owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw, - owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw, - owner @{JD_INSTALLDIR}/tmp/jna/jna@{int}.tmp mrw, - owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - - owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, - owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, - owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, - owner @{HOME}/.java/fonts/@{int}/ rw, - owner @{HOME}/.java/fonts/@{int}/fcinfo*.tmp rw, - owner @{HOME}/.java/fonts/@{int}/fcinfo-*.properties rw, - - owner @{HOME}/.install4j rw, - - owner @{tmp}/hsperfdata_@{user}/ rw, - owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead - owner @{tmp}/SevenZipJBinding-*/ rw, - owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - # For auto updates - owner @{tmp}/lastChanceSrc@{int}lch rw, - owner @{tmp}/lastChanceDst@{int}.jar rw, - owner @{tmp}/i4j_log_jd2_@{int}.log rw, - owner @{tmp}/install4jError@{int}.log rw, - - owner @{HOME}/.Xauthority r, - - # What's this for? - deny owner @{HOME}/.mozilla/firefox/ r, - deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r, - - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pid}/net/ipv6_route r, - deny @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/asound/version r, - - # For Reconnect -> Share Settings/Get Route - #@{bin}/netstat rix, - #@{bin}/route rix, - #@{bin}/ping rix, - #@{bin}/ip rix, - #@{PROC}/@{pid}/net/route r, - - # To open a web browser for CAPTCHA - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index 667b9304f..d3444fea5 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index 6c7f3c1ff..044eda493 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd index 5b96e0c58..49d5c6c57 100644 --- a/apparmor.d/profiles-g-l/jitterentropy-rngd +++ b/apparmor.d/profiles-g-l/jitterentropy-rngd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 77127171c..eb51b1239 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,6 +58,7 @@ profile jmtpfs @{exec_path} { @{PROC}/@{pid}/mounts r, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index fef624841..0e27fa5ae 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index 9dddbe470..33bd9c641 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 6858f1b45..743da77a1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f79a3464e..f48113b02 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,6 @@ profile keepassxc @{exec_path} { include include include - include include include include @@ -38,11 +37,12 @@ profile keepassxc @{exec_path} { @{lib}/firefox/firefox rPx, @{open_path} rPx -> child-open, - /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, /etc/fstab r, + @{bin}/ r, + owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, @@ -56,7 +56,7 @@ profile keepassxc @{exec_path} { owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r, + owner @{user_config_dirs}/keepassxcrc r, # Database locations owner @{user_cache_dirs}/keepassxc/ rw, @@ -92,7 +92,7 @@ profile keepassxc @{exec_path} { /dev/shm/#@{int} rw, /dev/tty rw, - /dev/urandom rw, + /dev/urandom w, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index b1d6e0e86..c8e189f4e 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 5e9736108..24a30c56c 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} { include include - signal (receive) set=(term, kill), - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal receive set=(term, kill) peer=firefox, + @{exec_path} mr, /usr/share/icons/*/index.theme r, @@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} { # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, deny owner @{run}/user/@{uid}/kpxc_server rw, - deny /dev/shm/org.chromium.* rw, + deny /dev/shm/org.chromium.@{rand6} rw, deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw, deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 808528ce7..07c058124 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile kernel-install @{exec_path} { @{bin}/chmod rix, @{bin}/basename rix, + @{pager_path} rPx -> child-pager, @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index f3c7e3b37..815fa4e38 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index e6860c5b9..8f5e66cbc 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index dc027eae6..102b75d83 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ac03c2501..08fc10c22 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 3d8800cc7..fc6a6ede5 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 932b869b8..450600d78 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index 22e087146..eb3d1cc80 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 8fa7552af..93234bf52 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index a9df8a2b3..52252882d 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e33195eb1..e765a5dc6 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index e77d997c5..bf999b79e 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index fd0c403a4..ee40f81af 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index 3df955097..392aba362 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 2a7295f49..2198ad925 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,14 @@ profile libreoffice @{exec_path} { include include include + include include include include + include + include include + include include include include @@ -41,14 +45,14 @@ profile libreoffice @{exec_path} { @{open_path} rPx -> child-open-browsers, - @{bin}/gpgconf rPx, - @{bin}/gpgsm rPx, - @{bin}/gpg rPx, + @{bin}/gpg rPx, + @{bin}/gpgconf rPx, + @{bin}/gpgsm rPx, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/bin/java rix, @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/{,**} rm, @@ -61,15 +65,24 @@ profile libreoffice @{exec_path} { /usr/share/liblangtag/{,**} r, /usr/share/libreoffice/{,**} r, /usr/share/mythes/{,**} r, + /usr/share/thumbnailers/{,**} r, - /etc/java-openjdk/{,**} r, + /etc/java{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/xdg/* r, owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/user-places.xbel r, + + owner @{tmp}/ r, owner @{tmp}/@{rand6} rwk, owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, @@ -77,18 +90,22 @@ profile libreoffice @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{run}/user/@{uid}/#@{int} rw, + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 379f32ac8..6ce5f2f57 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8e8732c19..8d2fcdcc8 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index 21daa1853..78e9983b3 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index f2e6c74cf..6462a0b6c 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index b4dc21398..941798245 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid deleted file mode 100644 index 615f51b62..000000000 --- a/apparmor.d/profiles-g-l/linssid +++ /dev/null @@ -1,113 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec -profile linssid @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - # For reading/saving config/log files when linssid is started via pkexec - #capability dac_read_search, - #capability dac_override, - - # Needed? - deny capability sys_admin, - deny capability sys_nice, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - - # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Linssid works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - - @{bin}/iw rCx -> iw, - @{bin}/pkexec rPx, - - # For regular run as root user - owner @{HOME}/.linssid.prefs rw, - owner @{HOME}/LinSSID.datalog rw, - # For pkexec - #@{HOME}/.linssid.prefs rw, - #@{HOME}/LinSSID.datalog rw, - - /usr/share/linssid/{,*} r, - - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/net/wireless r, - owner @{PROC}/@{pid}/cmdline r, - - owner @{tmp}/runtime-root/ rw, - owner @{tmp}/linssid_* rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile iw { - include - - capability net_admin, - deny capability sys_module, - - network netlink raw, - - @{bin}/iw mr, - - # file_inherit - owner @{HOME}/.linssid.prefs rw, - owner @{HOME}/LinSSID.datalog rw, - owner @{tmp}/linssid_* rw, - owner /dev/dri/card@{int} rw, - - } - - profile dbus { - include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 41813c1a1..a0c184032 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,6 +46,7 @@ profile linux-check-removal @{exec_path} flags=(complain) { owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, /usr/share/debconf/templates/adequate.templates r, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 998c48780..1a8ffbb0d 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq new file mode 100644 index 000000000..0e18eab1b --- /dev/null +++ b/apparmor.d/profiles-g-l/linuxqq @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = QQ +@{lib_dirs} = /opt/QQ/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq +profile linuxqq @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mrix, + + @{sh_path} r, + @{bin}/grep rix, + @{lib_dirs}/chrome_crashpad_handler ix, + @{lib_dirs}/resources/app/{,**} m, + @{open_path} rPx -> child-open-strict, + + /etc/machine-id r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, + + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index 093074d1b..b9254171a 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index 30018bf00..f6781f4b1 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index c93553030..cbaac35b7 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -54,13 +54,15 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/security/pam_env.conf r, /etc/shells r, + /var/lib/faillock/@{user} rwk, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, - @{run}/motd.d/{,*} r, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, + @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 6004b8a35..f98457155 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -50,19 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/squid rPUx, @{bin}/pgrep rCx -> pgrep, - - # no new privs - #@{bin}/systemctl rCx -> systemctl, - @{bin}/systemctl rix, - @{bin}/runlevel rix, - include - ptrace (read), - capability sys_ptrace, - owner @{PROC}/@{pid}/stat r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{bin}/systemctl rCx -> systemctl, /etc/ r, @{etc_ro}/logrotate.conf rk, @@ -92,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + @{run}/utmp rk, + include if exists } diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index fb8b448d1..fd2472dce 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor index 4471dbd2e..e2baa4a26 100644 --- a/apparmor.d/profiles-g-l/low-memory-monitor +++ b/apparmor.d/profiles-g-l/low-memory-monitor @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index 56aad52b8..147e1ba24 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 804e67632..caa2b5628 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index e5b6ff750..2e3a20ad0 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 656597c1c..0f3abf1dc 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index 22e8a7cd2..b628b3668 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 0bd6ef2e8..cff4ce186 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), - # mqueue r type=posix /, + mqueue r type=posix /, @{exec_path} rm, diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index f38bd6780..5e5a0d1dd 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump index 9dbe000f7..6a443fc57 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld index 7a4bc90b3..fdc3bad3f 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index a400ef80c..a7c3a2177 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -3,66 +3,38 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lxappearance profile lxappearance @{exec_path} { include - include - include - include - include + include @{exec_path} mr, - # When lxappearance is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Lxappearance works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + @{bin}/dbus-launch Cx -> bus, + @{bin}/dbus-send Cx -> bus, /usr/share/lxappearance/{,**} r, - owner @{HOME}/.themes/{,**} r, - owner @{HOME}/.icons/{,**} rw, - - owner @{HOME}/.gtkrc-2.0{,.*} rw, - owner @{user_config_dirs}/gtk-3.0/settings.ini{,.*} rw, - - /etc/X11/cursors/*.theme r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, - # file_inherit + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner /dev/tty@{int} rw, - - profile dbus { + profile bus { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 143472569..a1f4ced89 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index 8f4efc921..c3e0c0556 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index aa0195853..c60325742 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index beeba50e8..4826337d0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) { /usr/{,share/}man/{,**} r, /usr/local/{,share/}man/{,**} r, - /usr/share/**/man/man@{int}/*.@{int}.gz r, + /usr/share/**/man/man@{u8}/*.@{int}.gz r, owner @{user_share_dirs}/man/** rwk, diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 871434151..19b0c7fba 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index a2631c768..f1b5034e6 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index bb7c2d59b..c3333b860 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 4648d4ddf..5a723d002 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,29 +19,7 @@ profile mediainfo-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - @{lib}/firefox/firefox rPx, - - owner @{HOME}/ r, - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{open_path} rPx -> child-open-browsers, include if exists } diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 236041778..3796c2b75 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index 506892f0e..aeb26d004 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 739d18e2f..e43460210 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 142ccb78a..0de151536 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -31,17 +31,17 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { /etc/httpd/conf/mime.types r, /etc/mime.types r, - owner @{tmp}/@{hex64}.png r, - owner @{tmp}/@{hex64}.png w, + owner @{tmp}/@{hex64}.* rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/tmp@{rand4}_*/{,**} rw, - owner @{tmp}/tmp@{rand8}/{,**} rw, + owner @{tmp}/tmp@{word8} rw, + owner @{tmp}/tmp@{word8}/{,**} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index da56703c3..d6823da9b 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mimetype +@{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 4d4d26655..ce8380261 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,9 +30,7 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver rPx, @{open_path} rPx -> child-open, /usr/share/minitube/{,**} r, @@ -69,31 +67,6 @@ profile minitube @{exec_path} { /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 267fb9d1a..b8e79c0dc 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,8 +23,9 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, + owner @{user_cache_dirs}/.mc_connections rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert new file mode 100644 index 000000000..3ae643e1d --- /dev/null +++ b/apparmor.d/profiles-m-r/mkcert @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mkcert +profile mkcert @{exec_path} { + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/certutil rix, + @{bin}/rm rix, + @{bin}/sudo rix, + @{bin}/tee rix, + @{bin}/trust rix, + @{bin}/update-ca-trust rPx, + + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db{,-journal} rwk, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{user_share_dirs}/mkcert/{,**} rw, + + owner @{PROC}/@{pids}//cgroup r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index 038de3c73..acf88197f 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index 237fc8006..1e6c95838 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index d7f7a1cc9..1aba124ae 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 692d79184..3b02d97c2 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -81,18 +81,22 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, /boot/ r, - owner /boot/initrd.img-*.new rw, owner /boot/config-* r, + owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs_*/ rw, owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, - /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs-* rw, - owner @{PROC}/@{pid}/fd/ r, + @{sys}/devices/platform/ r, + @{sys}/devices/platform/reg-dummy/{,**}/ r, + @{sys}/module/compression r, + @{PROC}/cmdline r, @{PROC}/modules r, + owner @{PROC}/@{pid}/fd/ r, profile ldd { include diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/profiles-m-r/mkntfs index ccfa5f4ed..5141c5385 100644 --- a/apparmor.d/profiles-m-r/mkntfs +++ b/apparmor.d/profiles-m-r/mkntfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index 4c732c2c6..4a818cd58 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 22251b87e..a13a22e7ed 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 595a24666..835e1a391 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index 08fdee129..f54b2f047 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 29125f192..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,9 +28,10 @@ profile modprobed-db @{exec_path} { @{bin}/uniq rix, @{bin}/wc rix, + /usr/share/modprobed-db/** r, /usr/share/terminfo/** r, - owner @{user_config_dirs}/modprobed-db.conf r, + owner @{user_config_dirs}/modprobed-db.conf rw, owner @{user_config_dirs}/modprobed.db rw, owner @{tmp}/.inmem rw, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index d75a5092b..df1806311 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cb220a7b6..e847db872 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index e010a83d7..bdaafd9c8 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 09b682c6b..f8616cd88 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index bbadcc7e0..78651ba23 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 698f350ce..3fafd269a 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index bc47f0a30..552f96b05 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index 14a6c4acf..89b66253a 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -4,7 +4,7 @@ # Copyright (C) 2023 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 46f239fce..9a138ff50 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 1629176dd..3d044049e 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -3,14 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mpv profile mpv @{exec_path} { include - include + include include include include @@ -32,8 +32,7 @@ profile mpv @{exec_path} { @{exec_path} mr, - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver Px, @{bin}/youtube-dl rPx, @{bin}/yt-dlp rPx, @@ -77,34 +76,14 @@ profile mpv @{exec_path} { @{sys}/devices/**/input/**/uevent r, @{sys}/devices/**/sound/**/capabilities/* r, @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, /dev/input/event@{int} r, owner /dev/tty@{int} rw, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - @{bin}/xscreensaver-command rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - } - include if exists } diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 75c95fffd..5fea49231 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 5b341d8f5..4ff851662 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index 4bf15b7d5..d771c58ec 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index db29113ce..77ac07045 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -2,16 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /opt/Mullvad*/resources/mullvad-setup profile mullvad-setup @{exec_path} { include + include @{exec_path} mr, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, # File Inherit diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 918e5a0c2..409834fbc 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,6 +27,7 @@ profile multipath @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, + @{sys}/module/*/parameters/multipath r, @{PROC}/devices r, @{PROC}/sys/fs/nr_open r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 510fb3417..14bb16caf 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 879d2b9bf..48ed42d84 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 61b287329..8d17ef3d6 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index aca74e562..9d7663ebb 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/murmurd diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 1ed63e68e..6a96796a7 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -2,7 +2,7 @@ # Copyright (C) 2023 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,23 +27,18 @@ profile mutt @{exec_path} { # There are countless programs that can be executed from the mailcap. # This profile includes only the most basic. @{sh_path} rix, - + @{lib}/{,sendmail/}sendmail rPUx, @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, # Misc mutt scripts @{lib}/mutt/* rix, - + @{bin}/w3m rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, - - @{bin}/less rCx -> pager, - @{bin}/more rCx -> pager, - @{bin}/pager rCx -> pager, + @{editor_path} rCx -> editor, + @{pager_path} rCx -> pager, @{bin}/gpg{2,} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -118,9 +113,7 @@ profile mutt @{exec_path} { include include - @{bin}/less mr, - @{bin}/more mr, - @{bin}/pager mr, + @{pager_path} mr, /usr/share/terminfo/** r, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index e3222d2ff..1f32df8c3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 805f69678..0a9e1dc33 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index fff97e67c..3d54f896d 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 37dd180c3..75b150042 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { /boot/intel-ucode.img r, /boot/early_ucode.cpio r, - + @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index a51854414..e3edb99c3 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap index d1e5a2852..a73dbffe4 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index e39e64621..c1a9f611a 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,8 @@ profile nethogs @{exec_path} { @{exec_path} mr, + /usr/share/terminfo/** r, + @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index 039109ea2..e19884997 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -5,7 +5,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 9398350e1..4a7196fc2 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index 1878b9b5e..ebd15d4b6 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index eeba22557..549eb06ef 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld index a02e226c6..be122a3cb 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 1255ca401..292b22043 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,6 +20,8 @@ profile nft @{exec_path} { @{exec_path} mr, + /usr/share/iproute2/{,**} r, + /etc/iproute2/** r, /etc/nftables.conf r, /etc/nftables/{,**} r, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 0eb1eceba..348c3ac0e 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin index fad964b64..3ee32cf34 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 9ee225d9d..41435f2f0 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index a7a580c41..d94d7a0f2 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,15 +22,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_admin, - @{exec_path} mr, - - @{bin}/kmod rPx, # To load the fuse kernel module - - # Mount points - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, - # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, @@ -47,12 +38,22 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, + @{exec_path} mr, + + @{bin}/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe index ef870e0f0..73ba17229 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g-probe +++ b/apparmor.d/profiles-m-r/ntfs-3g-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/profiles-m-r/ntfscat index 069a597e9..c1d14927b 100644 --- a/apparmor.d/profiles-m-r/ntfscat +++ b/apparmor.d/profiles-m-r/ntfscat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index 06fe65684..c239e81af 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster index 62aff85c8..80fdf01ce 100644 --- a/apparmor.d/profiles-m-r/ntfscluster +++ b/apparmor.d/profiles-m-r/ntfscluster @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp index c5ecddc5f..db9a723d4 100644 --- a/apparmor.d/profiles-m-r/ntfscmp +++ b/apparmor.d/profiles-m-r/ntfscmp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index 3beeb2b7a..2e36046ba 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index e7ffe3188..63f771ed3 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate index 670092820..80654cb7a 100644 --- a/apparmor.d/profiles-m-r/ntfsfallocate +++ b/apparmor.d/profiles-m-r/ntfsfallocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix index 179b3b7a9..e840ed6c5 100644 --- a/apparmor.d/profiles-m-r/ntfsfix +++ b/apparmor.d/profiles-m-r/ntfsfix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo index 3156e7004..08b5bea43 100644 --- a/apparmor.d/profiles-m-r/ntfsinfo +++ b/apparmor.d/profiles-m-r/ntfsinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel index 6eee15ef8..471aefaa1 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/profiles-m-r/ntfsls index 56c2c28de..3badd08b2 100644 --- a/apparmor.d/profiles-m-r/ntfsls +++ b/apparmor.d/profiles-m-r/ntfsls @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove index 876113c98..4c7ade080 100644 --- a/apparmor.d/profiles-m-r/ntfsmove +++ b/apparmor.d/profiles-m-r/ntfsmove @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover index 43de112c1..fff3e1b52 100644 --- a/apparmor.d/profiles-m-r/ntfsrecover +++ b/apparmor.d/profiles-m-r/ntfsrecover @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize index e0e8f58d2..5c7d5c835 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit index ee38f60a0..a323a898d 100644 --- a/apparmor.d/profiles-m-r/ntfssecaudit +++ b/apparmor.d/profiles-m-r/ntfssecaudit @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate index c9dec413a..7f245ee07 100644 --- a/apparmor.d/profiles-m-r/ntfstruncate +++ b/apparmor.d/profiles-m-r/ntfstruncate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index a01876961..4d96d1dbd 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index acc6e8bbc..0cdfb9f71 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe index 1471e1d27..9b64136bd 100644 --- a/apparmor.d/profiles-m-r/ntfswipe +++ b/apparmor.d/profiles-m-r/ntfswipe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index e27e15429..6f7b8f225 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 25903ed8b..5c88ec846 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index b0465ef85..d438b598d 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index 33dac3dba..9f44c8f13 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 87271a03d..9e5944bff 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 571ab3311..143808f76 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 54c9c5959..88a164c00 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, - @{run}/systemd/inhibit/*.ref r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index 070ac10af..b0c4d88c6 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 37e94369e..7b11aaac5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index 7aa4070c5..ebbd8ae50 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index 972829890..e50fadddf 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/profiles-m-r/obexctl index d87243b75..5cd5853d5 100644 --- a/apparmor.d/profiles-m-r/obexctl +++ b/apparmor.d/profiles-m-r/obexctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index 9043489eb..3da9b4f5d 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs index 4a746ecf1..5a9d0dfbf 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,6 +48,7 @@ profile obexfs @{exec_path} { @{PROC}/@{pid}/mounts r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd index 17b0a2d37..2645ec678 100644 --- a/apparmor.d/profiles-m-r/obexpush-atd +++ b/apparmor.d/profiles-m-r/obexpush-atd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/profiles-m-r/obexpushd index 33a922f41..44b938401 100644 --- a/apparmor.d/profiles-m-r/obexpushd +++ b/apparmor.d/profiles-m-r/obexpushd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index 724f83de7..b0f1c7c27 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt index 0636f6ee8..065e953f3 100644 --- a/apparmor.d/profiles-m-r/odt2txt +++ b/apparmor.d/profiles-m-r/odt2txt @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/odt2txt profile odt2txt @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index e7ff1db50..7b5521802 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d9b5a412e..c92d4d849 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index 84a68634c..ded4a204a 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index ac0831f05..d136ee08f 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 61666f756..5313ed948 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index 571532b4f..f87c0fa92 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,9 @@ profile orage @{exec_path} { @{bin}/globaltime rPx, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/* rw, @@ -35,38 +35,8 @@ profile orage @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c9c9ea2df..c058003ff 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index efd796d19..d0b75aae7 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,3 +24,5 @@ profile ouch @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b61426196..b97c5e9a8 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,6 +36,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=int peer=apt-methods-*, + signal send set=term peer=systemd-inhibit, #aa:dbus own bus=system name=org.freedesktop.PackageKit @@ -93,7 +94,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/systemd/users/@{uid} r, #aa:only opensuse diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 752c3edd7..8512c1c67 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 2f8092a02..1e89ef3f2 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index f6615a71e..0ec7c31f6 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 3d805f24c..e2846f8e6 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -60,6 +60,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /etc/shadow r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 5c86a1b27..510c2abad 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 9408674f8..4a98dbae8 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 9e384c66c..6a0a6c9cf 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/partprobe profile partprobe @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7c4f697e0..0736f98c4 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,52 +15,52 @@ profile pass @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/diff rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/getopt rix, - @{bin}/grep rix, - @{bin}/head rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/shred rix, - @{bin}/sleep rix, - @{bin}/sort rix, - @{bin}/tail rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, + @{bin}/base64 ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/diff ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/find ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/rmdir ix, + @{bin}/sed ix, + @{bin}/shred ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/tail ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/tree ix, + @{bin}/tty ix, + @{bin}/which ix, - @{bin}/git rCx -> git, - @{bin}/gpg{2,} rCx -> gpg, - @{bin}/pkill rCx -> pkill, - @{bin}/qdbus rCx -> qdbus, - @{bin}/vim{,.*} rCx -> editor, - @{lib}/git{,-core}/git rCx -> git, - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, + @{bin}/git Cx -> git, + @{bin}/gpg{2,} Cx -> gpg, + @{bin}/pkill Cx -> pkill, + @{bin}/qdbus Cx -> qdbus, + @{bin}/wl-{copy,paste} Px, + @{bin}/xclip Px, + @{editor_path} Cx -> editor, + @{lib}/git{,-core}/git Cx -> git, # Pass extensions - @{bin}/oathtool rix, # pass-otp - @{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit - @{bin}/qrencode rPUx, # pass-otp - @{bin}/tomb rPUx, # pass-tomb + @{bin}/oathtool ix, # pass-otp + @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{bin}/qrencode PUx, # pass-otp + @{bin}/tomb PUx, # pass-tomb /usr/share/terminfo/** r, owner @{user_password_store_dirs}/{,**} rw, - owner /dev/shm/pass.*/{,*} rw, + owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -74,16 +74,10 @@ profile pass @{exec_path} { profile pkill { include - - capability sys_ptrace, - - ptrace read, + include @{bin}/pkill mr, - @{PROC}/@{pid}/cgroup r, - @{PROC}/tty/drivers r, - include if exists } @@ -96,7 +90,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/{,**/} r, - owner /dev/shm/pass.*/{,*} rw, + owner /dev/shm/pass.@{rand}/{,*} rw, deny owner @{HOME}/ r, @@ -118,10 +112,7 @@ profile pass @{exec_path} { @{bin}/git* mrix, @{lib}/git{,-core}/git* mrix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - + @{pager_path} rPx -> child-pager, @{bin}/gpg{2,} rPx -> pass//gpg, /usr/share/git{,-core}/{,**} r, @@ -133,7 +124,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, + owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, include if exists } @@ -153,7 +144,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /dev/shm/pass.*/{,*} rw, + owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 655804ccc..bb2bc9107 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 8afbac8e5..4e64e5fb9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index f37f5651d..9d81c0bea 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile passwd @{exec_path} { capability net_admin, capability setuid, - signal (receive) set=(term, kill) peer=gnome-control-center, + signal receive set=(term kill) peer=gnome-control-center, network netlink raw, diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index de3782b09..596cbacbd 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 99ad50a64..e736299fa 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 200319c6c..984b566cf 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext index c122cbdcb..0394687f7 100644 --- a/apparmor.d/profiles-m-r/pdftotext +++ b/apparmor.d/profiles-m-r/pdftotext @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pdftotext profile pdftotext @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index 124d5c9c3..7d423f148 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index e2ea46e57..2a7b63038 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pidof profile pidof @{exec_path} { include + include capability sys_ptrace, diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index c30bc5def..b69fcecaf 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile pinentry @{exec_path} { @{bin}/pinentry-* rPx, @{sh_path} rix, + @{bin}/ldd rix, /etc/pinentry/preexec r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index 1fd585f47..a3ec65c45 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index d6fc0abb0..f332ef21f 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index efad3a6f1..49e9ac307 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 235c256a7..adff98c53 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,42 +11,31 @@ include profile pinentry-kwallet @{exec_path} { include include - include + include signal (send) set=(term, kill) peer=gpg-agent, @{exec_path} mr, - @{bin}/pinentry-* rPx, - - @{bin}/kwalletcli_getpin rix, - @{bin}/kwalletcli rCx -> kwalletcli, - - # when wrong PIN is provided @{bin}/date rix, - - @{bin}/mksh rix, @{bin}/env rix, - - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, - + @{bin}/kwalletcli rCx -> kwalletcli, + @{bin}/kwalletcli_getpin rix, + @{bin}/mksh rix, + @{bin}/pinentry-* rPx, profile kwalletcli { include + include @{bin}/kwalletcli mr, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwalletrc r, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/kwalletrc r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 947350b8a..3c5ec0a94 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -3,47 +3,28 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include + include include - include - include - include - include + include + include include include - include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, + /var/lib/dbus/machine-id r, owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index c8238688e..989f6ec8b 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 49c762df9..c7bfbcefa 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -3,35 +3,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pkexec profile pkexec @{exec_path} { include - include - include - include - include - include + include - capability audit_write, - capability dac_read_search, - capability net_admin, - capability setgid, # gdbus - capability setuid, # gmain - capability sys_ptrace, - capability sys_resource, - audit deny capability sys_nice, + capability sys_nice, - network netlink raw, + signal send set=(term, kill) peer=polkit-agent-helper, - signal (send) set=(term, kill) peer=polkit-agent-helper, - - ptrace (read), - - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd + ptrace read, @{exec_path} mr, @@ -40,22 +25,11 @@ profile pkexec @{exec_path} { /opt/*/** PUx, /usr/share/** PUx, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/shells r, @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - - # Silencer - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 68c85487b..de0eeef33 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index 77bad6788..9619326f2 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index e66d0c14c..3877f89cd 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index 5e81be8a3..afc322958 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo new file mode 100644 index 000000000..111b157c5 --- /dev/null +++ b/apparmor.d/profiles-m-r/pokemmo @@ -0,0 +1,98 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pokemmo-launcher +profile pokemmo @{exec_path} flags=(attach_disconnected) { + include + include + include # Installer + include + include # Installer + include + include + include + include # Installer + include + + # The installer is a GTK app and requires a few extra abstractions + # GTK/QT/fonts abstractions are unused by the game itself and can + # be removed if this profile is later split into stacked profiles + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{coreutils_path} ix, + @{python_path} ix, + @{sh_path} ix, + + @{bin}/java ix, + @{bin}/perl ix, + @{bin}/which ix, + @{lib}/jvm/java-@{int}-openjdk/bin/java ix, + + # Installer + @{bin}/openssl ix, + @{bin}/ps ix, + @{bin}/wget ix, + @{bin}/zenity ix, + @{lib}/jvm/java-@{int}-openjdk/lib/jspawnhelper ix, + + /etc/lsb-release r, # Installer + /etc/java-openjdk/** r, + /etc/timezone r, + /etc/wgetrc r, # Installer + + # Installer + owner @{HOME}/ r, + owner @{HOME}/.java/fonts/** rw, + owner @{HOME}/.wget-hsts rwk, + + owner @{user_config_dirs}/pokemmo/{,**} rw, + owner @{user_share_dirs}/pokemmo/{,**} rw, + + owner /tmp/hsperfdata_user/ rw, + owner /tmp/hsperfdata_user/@{int} rwk, + owner /tmp/libgdxuser/{,**} rw, + owner /tmp/libgdxuser/**/*.so mrw, + owner /tmp/lwjgl_user/{,**} rw, + owner /tmp/lwjgl_user/**/*.so mrwk, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Installer + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/pid_max r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, + + /dev/tty rw, + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index a4b93d5b5..166404dfa 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 8f85f3c03..b39682804 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,10 +34,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/bus/platform/devices/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/**/power_supply/*/scope r, - @{sys}/devices/**/power_supply/*/uevent r, - @{sys}/devices/platform/**/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail new file mode 100644 index 000000000..c6d309a94 --- /dev/null +++ b/apparmor.d/profiles-m-r/protonmail @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 curiosityseeker +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = proton-mail "Proton Mail" +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* +profile protonmail @{exec_path} flags=(complain) { + include + include + include + include + + network inet stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + ptrace read peer=xdg-settings, + + @{exec_path} mrix, + + @{bin}/xdg-settings Px, + @{open_path} Px -> child-open, + + owner @{user_config_dirs}/ibus/bus/ r, + + @{sys}/devices/@{pci}/boot_vga r, + + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + + include if exists + +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 3d3878c3e..fc8092ef9 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,13 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 -@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" -@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 +@{config_dirs} = @{user_config_dirs}/protonmail/{,bridge-v3} +@{cache_dirs} = @{user_cache_dirs}/protonmail/{,bridge-v3} "@{user_cache_dirs}/Proton AG/{,Proton Mail Bridge}" +@{share_dirs} = @{user_share_dirs}/protonmail/{,bridge-v3} @{exec_path} = @{lib}/protonmail/bridge/bridge-gui profile protonmail-bridge @{exec_path} { diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index b7fd0c98a..81f27c40e 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -7,7 +7,7 @@ # deny @{bin}/pass x, # deny owner @{user_password_store_dirs}/** r, -abi , +abi , include @@ -15,6 +15,7 @@ include profile protonmail-bridge-core @{exec_path} { include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,8 @@ profile protonmail-bridge-core @{exec_path} { owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/ r, + @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pid}/cgroup r, deny @{bin}/pass x, deny owner @{user_password_store_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index bdcd6cee2..1d9ae50cb 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index f34992ccb..da5753161 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/profiles-m-r/pscap index 8a88b26a4..f4bc2b76e 100644 --- a/apparmor.d/profiles-m-r/pscap +++ b/apparmor.d/profiles-m-r/pscap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index e764b69f8..33435fa8d 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,8 +46,6 @@ profile psi @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi/{,**} rw, owner @{user_config_dirs}/autostart/psi.desktop rw, owner @{user_config_dirs}/psi/ rw, @@ -59,7 +57,7 @@ profile psi @{exec_path} { owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d9b1f7fd5..32c05e55b 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,8 +46,6 @@ profile psi-plus @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi+/{,**} rw, owner @{user_config_dirs}/autostart/psi-plus.desktop rw, owner @{user_config_dirs}/psi+/ rw, @@ -59,7 +57,7 @@ profile psi-plus @{exec_path} { owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index a2630d212..bd2265e32 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 0ef899263..e57e221dd 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index af459593a..0c9e1ac0a 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f9502cf75..a5fcbb91e 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -42,7 +42,7 @@ profile qbittorrent @{exec_path} { interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate @@ -52,12 +52,12 @@ profile qbittorrent @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} @@ -85,8 +85,6 @@ profile qbittorrent @{exec_path} { /usr/share/GeoIP/GeoIP.dat r, /usr/share/gvfs/remote-volume-monitors/{,*} r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, owner @{user_config_dirs}/qBittorrent/ rw, @@ -137,7 +135,7 @@ profile qbittorrent @{exec_path} { owner @{user_torrents_dirs}/** r, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int}, owner /dev/shm/* rw, owner @{tmp}/@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 87bc84d51..5129f203b 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} { /dev/disk/by-label/ r, /dev/shm/#@{int} rw, - + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index f8e028b88..fa67bad97 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index ac94727c3..5bf8fceb8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 911519459..d02ff9426 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,7 +55,6 @@ profile qnapi @{exec_path} { /tmp/ r, owner @{tmp}/@{hex}.* rw, - owner @{tmp}/** rw, owner @{tmp}/#@{int} rw, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc.lock rwk, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index e1ff13a92..f743e95b3 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 43964d950..880476b14 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,11 +28,6 @@ profile qt5ct @{exec_path} { owner @{user_config_dirs}/fontconfig/** rw, owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int}, - owner @{user_config_dirs}/kdeglobals r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index 2202d8c5f..a2485b41d 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index e97bcc2ec..4b0d9b79c 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 1154ff337..89395f8b5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -3,29 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/quiterss profile quiterss @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -36,9 +30,14 @@ profile quiterss @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, /usr/share/quiterss/** r, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/QuiteRss/ rw, owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**, owner @{user_share_dirs}/QuiteRss/ rw, @@ -46,55 +45,20 @@ profile quiterss @{exec_path} { owner @{user_cache_dirs}/QuiteRss/ rw, owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - /dev/shm/#@{int} rw, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner /var/tmp/etilqs_@{hex16} rw, - # Allowed apps to open - @{lib}/firefox/firefox rPUx, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/#@{int} rw, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index c3a4a8a22..47dd9beab 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index dcee35f62..f59880046 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -2,37 +2,38 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include + include include include include include + include include + include include include include include - include - include + include include include include - include + include network inet stream, network inet6 stream, network netlink raw, #aa:dbus own bus=session name=org.remmina.Remmina - - dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} - peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} r, @@ -42,14 +43,13 @@ profile remmina @{exec_path} { /etc/timezone r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /etc/gtk-3.0/settings.ini r, owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, owner @{user_config_dirs}/freerdp/known_hosts2 rwk, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 6f3ba2417..a1fd7b3b3 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -51,7 +51,7 @@ profile repo @{exec_path} { owner @{tmp}/ssh-*/ rw, owner /dev/shm/* rw, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 4ef5e6b42..866b7cbfa 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,7 +55,6 @@ profile reprepro @{exec_path} { owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, - profile gpg { include @@ -66,6 +65,7 @@ profile reprepro @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 114846812..7b28a1d22 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/resize2fs profile resize2fs @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 6dfe82b6e..6601b8169 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile resolvconf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, + @{bin}/cp rix, @{bin}/flock rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -22,19 +23,34 @@ profile resolvconf @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rix, @{bin}/sed rix, + @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, /usr/lib/resolvconf/{,**} r, + @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, + /etc/resolvconf.conf r, /etc/resolvconf/{,**} r, /etc/resolvconf/update.d/libc rix, + / r, + owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/run-lock wk, /dev/tty rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index f64dd20ba..041a03e07 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 0f65d8f71..8ae73c5d0 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 641217f56..7b48d57b1 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -3,29 +3,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/rpi-imager -profile rpi-imager @{exec_path} { +profile rpi-imager @{exec_path} flags=(complain) { include include + include include - include - include include - include - include - include - include + include include - include - include include include include - include #capability sys_admin, # deny capability sys_nice, @@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} { @{bin}/lsblk rPx, /etc/fstab r, - /etc/X11/cursors/*.theme r, - /usr/share/hwdata/pnp.ids r, - /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, owner "@{user_cache_dirs}/Raspberry Pi/" rw, owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", - owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/QtProject.conf r, + + owner "@{user_config_dirs}/Raspberry Pi/" rw, + owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**", owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index d8024b279..97e96d652 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 423e7e41a..b4ae4b211 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 21e715579..ddb62cb5f 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index d855c0a35..9417c93b1 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index b37172246..69e8c4d0d 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,7 +4,13 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile +# Possible confinement depending of profile architecture: +# - As rix, +# - As rCx -> run-parts, +# - As rPx -> foo-run-parts, + +abi , include @@ -185,6 +191,8 @@ profile run-parts @{exec_path} { @{PROC}/@{pids}/mounts r, /dev/tty@{int} rw, + + include if exists } profile kernel { @@ -242,6 +250,7 @@ profile run-parts @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 97100f32a..9931c07fb 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -3,50 +3,37 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/runuser profile runuser @{exec_path} { include - include include + include include include - # To remove the following errors: - # runuser: cannot set user id: Operation not permitted capability setuid, - - # To remove the following errrors: - # runuser: cannot set groups: Operation not permitted capability setgid, - - # To write records to the kernel auditing log. capability audit_write, - - # Needed? (#FIXME#) capability sys_resource, network netlink raw, @{exec_path} mr, - # Shells to use - @{bin}/{,b,d,rb}ash rpux, - @{bin}/{c,k,tc,z}sh rpux, - - owner @{PROC}/@{pid}/loginuid r, - @{PROC}/1/limits r, + @{bin}/@{shells} rUx, @{etc_ro}/security/limits.d/ r, - /etc/default/runuser r, - # file_inherit owner @{tmp}/debian-security-support.postinst.*/output w, + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 956aaeaa4..004c29d64 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -1,7 +1,8 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,9 +35,9 @@ profile rustdesk @{exec_path} { @{bin}/curl rix, @{bin}/ls rix, - @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rPx -> rustdesk_python, - @{sh_path} rPx -> rustdesk_shell, + @{bin}/sudo rCx -> sudo, + @{bin}/python3.@{int} rCx -> python, + @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -59,80 +60,72 @@ profile rustdesk @{exec_path} { profile sudo { include - include include + include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk_python, + @{bin}/python3.@{int} rPx -> rustdesk//python, include if exists } + profile python { + include + include + + capability dac_read_search, + capability dac_override, + + @{bin}/python3.@{int} r, + + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/uname rPx, + /usr/share/rustdesk/files/pynput_service.py rix, + + /usr/share/[rR]ust[dD]esk/files/{,**} r, + /tmp/[rR]ust[dD]esk/ w, + /tmp/[rR]ust[dD]esk/pynput_service rw, + + @{run}/user/@{uid}/gdm{,3}/Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + + # X-tiny + /tmp/.X11-unix/* rw, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.Xauthority r, + + include if exists + } + + profile shell { + include + + capability dac_override, + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{sh_path} r, + + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, + + @{bin}/ps rPx, + + @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + include if exists } -profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py { - include - - @{exec_path} r, - - include if exists -} - -profile rustdesk_python { - include - include - - capability dac_read_search, - capability dac_override, - - @{bin}/python3.@{int} r, - - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/uname rPx, - /usr/share/rustdesk/files/pynput_service.py rPx, - - /usr/share/[rR]ust[dD]esk/files/{,**} r, - /tmp/[rR]ust[dD]esk/ w, - /tmp/[rR]ust[dD]esk/pynput_service rw, - - @{run}/user/@{uid}/gdm{,3}/Xauthority r, - - owner @{PROC}/@{pid}/fd/ r, - - # X-tiny - /tmp/.X11-unix/* rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.Xauthority r, - - include if exists -} - -profile rustdesk_shell { - include - - capability sys_ptrace, - capability dac_read_search, - deny capability dac_override, - - ptrace (read), - - @{sh_path} r, - - @{bin}/tr rix, - @{bin}/{,e}grep rix, - @{bin}/tail rix, - @{bin}/xargs rix, - @{bin}/sed rix, - @{bin}/cat rix, - - @{bin}/ps rPx, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/environ r, - - include if exists -} - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index 0707f9c8f..fc0c7d9bd 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils +@{exec_path} = @{bin}/rustdesk-utils profile rustdesk-utils @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index ccbbb2494..de55bf829 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,8 +37,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/YACReader/YACReader/ rw, owner @{user_share_dirs}/YACReader/YACReader/** rwlk, - /dev/shm/ r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 418167345..38336fbc7 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,16 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted include include include + include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, @@ -29,7 +34,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/machine-id r, - owner @{user_books_dirs}/{,**} r, + owner @{user_books_dirs}/{,**} rw, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, owner @{user_cache_dirs}/YACReader/ rw, @@ -43,7 +48,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{tmp}/@{uuid} w, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index d614330d2..985f124de 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index aadad6860..04ee747bf 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -2,32 +2,29 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid +@{exec_path} = @{bin}/sanoid profile sanoid @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, @{sh_path} rix, @{bin}/perl rix, @{bin}/ps rPx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{bin}/zfs rPx, - /etc/sanoid/{*,} r, + /usr/share/sanoid/{,**} r, - /var/cache/sanoid/snapshots.txt rw, + /etc/sanoid/{,*} r, - /usr/share/sanoid/{**,} r, + /var/cache/sanoid/{,**} rw, @{run}/sanoid/ rw, - @{run}/sanoid/sanoid_cacheupdate.lock rwk, - @{run}/sanoid/sanoid_pruning.lock rwk, - - owner @{tmp}/** rw, + @{run}/sanoid/** rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 938ecb638..4c5d62597 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,7 @@ profile sbctl @{exec_path} { @{bin}/lsblk rPx, /usr/share/secureboot/{,**} rw, + /var/lib/sbctl/{,**} rw, /{boot,efi}/{,**} r, /{boot,efi}/EFI/{,**} rw, @@ -30,8 +31,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/pts/@{int} rw, # File Inherit diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index f1af86477..3d33e8a3e 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index 377bb7962..9573da520 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index cfc6c1b3c..4f6b26e39 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -3,7 +3,7 @@ # Copyright (C) 2023 Andy Ramos # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 3ded8b7ae..51016373d 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 618332bce..fd839099e 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 5eececb0b..e3eca4e22 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} { capability syslog, @{exec_path} rm, - + @{bin}/kmod rCx -> kmod, @{bin}/perl r, @{bin}/systemctl rCx -> systemctl, @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, @@ -50,7 +50,7 @@ profile sensors-detect @{exec_path} { include include - include if exists + include if exists } profile systemctl { diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop new file mode 100644 index 000000000..98b194fb7 --- /dev/null +++ b/apparmor.d/profiles-s-z/session-desktop @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {S,s}ession +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/session-messenger-desktop @{lib_dirs}/session-desktop +profile session-desktop @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, + + @{open_path} rPx -> child-open-strict, + + deny / r, + deny @{HOME}/ r, + deny @{HOME}/.pki/{,**} rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_cache_dirs}/thumbnails/** rw, + deny /etc/machine-id r, + deny /var/lib/dbus/machine-id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 25fe43065..72c9b8a93 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 79398e82d..6c9a3fe62 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,8 @@ profile setvtrgb @{exec_path} { @{exec_path} mr, + /etc/console-setup/vtrgb r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 5b75a27ef..0009d52cb 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -3,22 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/sfdisk profile sfdisk @{exec_path} { include + include include - # Needed to avoid the following error: - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Checking that no-one is using this disk right now ... FAILED - # This disk is currently in use - repartitioning is probably a bad idea. - # Umount all file systems, and swapoff all swap partitions on this disk. - # Use the --no-reread flag to suppress this check. capability sys_admin, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 00a8c7a56..ecc6abcdb 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop new file mode 100644 index 000000000..b905e8f3a --- /dev/null +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = signal-desktop{,-beta} +@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} +@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/@{name} +profile signal-desktop @{exec_path} { + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{bin}/getconf rix, + @{open_path} rPx -> child-open-strict, + + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, + + audit @{lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/chrome_crashpad_handler rix, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/vmstat r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox similarity index 72% rename from apparmor.d/groups/apps/signal-desktop-chrome-sandbox rename to apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index 8a5083143..b9efca35a 100644 --- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -3,12 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" -@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" +@{name} = signal-desktop{,-beta} +@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} +@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} +@{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/chrome-sandbox profile signal-desktop-chrome-sandbox @{exec_path} { @@ -19,7 +21,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{exec_path} mr, - @{lib_dirs}/signal-desktop{,-beta} rPx, + @{lib_dirs}/@{name} rPx, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/oom_adj w, @@ -28,5 +30,4 @@ profile signal-desktop-chrome-sandbox @{exec_path} { include if exists } - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index eb9866b53..9f395735e 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -4,7 +4,7 @@ # https://github.com/SagerNet/sing-box -abi , +abi , include @@ -31,8 +31,6 @@ profile sing-box @{exec_path} { owner @{user_share_dirs}/certmagic/** rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 0ec43cc9b..ed4dd8d5e 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include - # userns, + userns, capability net_admin, capability setpcap, diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 6487e82e3..4af40c8ab 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index bdac4d92f..d0f9c28fd 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -4,7 +4,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,8 +39,6 @@ profile smartd @{exec_path} { /var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/attrlog.*.csv rw, - /tmp/tmp.* rw, - @{run}/systemd/notify rw, @{sys}/class/scsi_host/ r, diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool index 010226342..a0d9600ad 100644 --- a/apparmor.d/profiles-s-z/smbspool +++ b/apparmor.d/profiles-s-z/smbspool @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 28065ac24..858c73637 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -53,8 +53,6 @@ profile smplayer @{exec_path} { owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int}, - owner @{user_cache_dirs}/#@{int} rw, - owner @{tmp}/qtsingleapp-smplay-* rw, owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, owner @{tmp}/smplayer_preview/ rw, diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index af761d43c..c318328b6 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -68,38 +68,11 @@ profile smtube @{exec_path} { @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, + @{open_path} rPx -> child-open, # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index f59fd9226..912ab1a8b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -70,7 +70,6 @@ profile snap @{exec_path} { @{run}/mount/utab r, @{run}/snapd.socket rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pids}/cgroup r, @@ -105,7 +104,10 @@ profile snap @{exec_path} { profile systemctl { include include - + include + + network unix stream, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/profiles-s-z/snap-bootstrap index 71a4ad8f2..95cc306fc 100644 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ b/apparmor.d/profiles-s-z/snap-bootstrap @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper index ec342d4e2..5a9fded35 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns index ab90529b7..f1f6f9d67 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index df8fe47fb..e9bef6d4e 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile snap-failure @{exec_path} { /var/lib/snapd/sequence/snapd.json r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, profile systemctl { diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/profiles-s-z/snap-repair index d5f282ffa..fe9be759a 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/profiles-s-z/snap-repair @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 0da410bca..235ef2080 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,9 +18,9 @@ profile snap-seccomp @{exec_path} { @{exec_path} mr, - /var/lib/snapd/seccomp/bpf/{,**} rw, + @{lib_dirs}/**.so* mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index e9315f5c7..3021a1ad7 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -47,7 +47,6 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index fa5ef1956..e6ded0956 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,6 +28,7 @@ profile snapd @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability mac_admin, capability net_admin, capability setgid, capability setuid, @@ -153,7 +154,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener index 3e3045b80..5620fc975 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,8 +16,6 @@ profile snapd-aa-prompt-listener @{exec_path} { @{lib_dirs}/snapd/info r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui index d7b9b3713..14354cfb9 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index 22a9c5faa..e7a3b4946 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile snapd-apparmor @{exec_path} { /var/lib/snapd/apparmor/profiles/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup index fffbc4468..0e33aaea0 100644 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ b/apparmor.d/profiles-s-z/snapd-core-fixup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index 5afff36e6..91ca7cd69 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -3,24 +3,27 @@ # SPDX-License-Identifier: GPL-2.0-only # vim:syntax=apparmor -abi , +abi , include @{exec_path} = @{bin}/snapshot -profile snapshot @{exec_path} { +profile snapshot @{exec_path} flags=(attach_disconnected) { include include include include include + include @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{sys}/devices/virtual/dmi/id/bios_vendor r, include if exists } diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index 754908eac..60111288f 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 33c02ce44..e70a5c499 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher new file mode 100644 index 000000000..13ed65c09 --- /dev/null +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/speech-dispatcher +profile speech-dispatcher @{exec_path} { + include + include + include + include + include + + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} ix, + @{lib}/speech-dispatcher/** r, + @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, + + /etc/machine-id r, + /etc/speech-dispatcher/{,**} r, + + owner @{run}/user/@{uid}/speech-dispatcher/ rw, + owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 511f32a96..f31818354 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile speedtest @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -26,12 +27,10 @@ profile speedtest @{exec_path} { @{bin}/file rix, @{bin}/uname rix, - owner @{PROC}/@{pid}/fd/ r, - - /usr/local/lib/python*/dist-packages/ r, - /etc/magic r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 1847c93d7..58da03738 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,10 +17,7 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, - @{lib}/gconv/gconv-modules r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/cap_last_cap r, include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 93be9c783..79204827f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -2,13 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -46,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index e9a8b6330..bebfbe419 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ef939ef07..8ccbbf0f1 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile spotify @{exec_path} { +profile spotify @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 36f4c988d..3b55547be 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile ss @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace (read), # unconfined, TODO + ptrace read, network netlink raw, @@ -27,21 +27,20 @@ profile ss @{exec_path} { owner @{tmp}/*.ss rw, owner @{HOME}/*.ss rw, + @{sys}/fs/cgroup/{,**/} r, + @{PROC} r, - @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/net/sockstat r, - owner @{PROC}/@{pids}/net/snmp r, - owner @{PROC}/@{pids}/net/unix r, + @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + owner @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/net/raw r, + owner @{PROC}/@{pids}/net/snmp r, + owner @{PROC}/@{pids}/net/sockstat r, owner @{PROC}/@{pids}/net/tcp r, owner @{PROC}/@{pids}/net/udp r, - - # [e]xtended - owner @{PROC}/@{pids}/mounts r, - @{sys}/fs/cgroup/{,**/} r, + owner @{PROC}/@{pids}/net/unix r, include if exists } diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index beff6a1e9..b71c97f55 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/sslocal +@{exec_path} = @{bin}/sslocal profile sslocal @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index 7a89ea8bd..6165d433b 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssmanager +@{exec_path} = @{bin}/ssmanager profile ssmanager @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 51dc62837..11ca72434 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssserver +@{exec_path} = @{bin}/ssserver profile ssserver @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 1c62764b2..4e4642895 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssservice +@{exec_path} = @{bin}/ssservice profile ssservice @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index e1c7b9068..9555a9825 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssurl +@{exec_path} = @{bin}/ssurl profile ssurl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 616b66963..85ec45d5c 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 26cf4027f..34f6d4724 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 82deb0d65..252c89869 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -17,11 +17,10 @@ # ├── steam-gameoverlayui # Steam game overlay # └── steamerrorreporter # Error reporter -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @@ -54,7 +53,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, ptrace trace peer=steam, - signal send peer=steam-game, + signal send peer=steam-game-{native,proton}, signal send peer=steam-launcher, signal send peer=steam//journalctl, signal send peer=steam//web, @@ -108,6 +107,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @@ -175,14 +175,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -248,6 +249,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -255,6 +257,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_override, capability dac_read_search, capability sys_chroot, @@ -305,12 +308,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -321,15 +318,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{tmp}/ r, owner @{tmp}/#@{int} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -374,6 +368,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_override, capability dac_read_search, unix receive type=stream, @@ -391,7 +386,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/ r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index b33c90d8b..e3e7f87e2 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -2,11 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native index 2817006f2..ca80801d7 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -2,11 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 49a668996..dfa8b84da 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -2,11 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @@ -14,12 +13,13 @@ include @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap -profile steam-game-proton @{exec_path} flags=(attach_disconnected) { +profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include include + capability dac_override, capability dac_read_search, network inet dgram, @@ -29,10 +29,13 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { network unix stream, signal receive peer=steam, + unix, @{exec_path} mr, @{bin}/bwrap mrix, + @{bin}/chmod rix, + @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/ldconfig rix, @@ -43,7 +46,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, - @{bin}/chmod rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -51,12 +53,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{app_dirs}/** mr, - @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{app_dirs}/Proton*/files/@{bin}/* rix, - @{app_dirs}/Proton*/files/@{lib}/** rix, - @{app_dirs}/Proton*/proton rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, @{run}/host/@{bin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @@ -72,6 +69,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { owner /var/pressure-vessel/** rw, owner /var/cache/ldconfig/aux-cache* rw, + owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, owner @{app_dirs}/Proton*/** rwkl, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 077e6cf8b..0cd837135 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -2,11 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @@ -23,7 +22,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - network unix stream, + + unix, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch index 877181b61..977248c96 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/profiles-s-z/steam-launch @@ -2,11 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @@ -23,6 +22,7 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @@ -33,6 +33,8 @@ profile steam-launch @{exec_path} { @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + /usr/ r, /usr/local/ r, diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher index 45fa30245..12138e360 100644 --- a/apparmor.d/profiles-s-z/steam-launcher +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -2,11 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index 6fde5418f..abf84d3c0 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -2,11 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @@ -42,9 +41,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{app_dirs}/@{runtime}/*entry-point rmix, @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, @{app_dirs}/@{runtime}/run rix, @{bin}/bwrap rpx -> steam-game-proton, diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote new file mode 100644 index 000000000..93a93e892 --- /dev/null +++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{runtime} = SteamLinuxRuntime_sniper +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote +profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) { + include + + @{exec_path} mr, + + @{runtime_dirs}/** mr, + + owner @{HOME}/.steam/steam.pipe rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter index 3e206e898..8214a1fb9 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -2,11 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 @{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 484a4069d..6a337a66b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,7 +37,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, - @{bin}/strawberry-tagreader rPx, + @{bin}/strawberry-tagreader rPx -> strawberry//&strawberry-tagreader, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 0e1aced4f..8de73c57c 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 237d5ed02..02a212150 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,6 +28,8 @@ profile su @{exec_path} { @{etc_ro}/default/su r, + @{HOME}/.xauth@{rand6} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 6f4e290d6..49df90aa3 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,6 +46,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{run}/ r, @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/?@{int}.ref rw, + + @{sys}/fs/cgroup/*.slice{,/*.slice}/*.service/cgroup.procs r, include if exists } diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index 3793df043..556808aeb 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity new file mode 100644 index 000000000..c0b940478 --- /dev/null +++ b/apparmor.d/profiles-s-z/superproductivity @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = super{p,P}roductivity +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile superproductivity @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mrix, + + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open-strict, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/profiles-s-z/swaplabel index 03d2fe8d0..05dc5783a 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index 31ee2e93a..83d2c6a3b 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 4cfa8ba96..b2df1a346 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 9979c9246..538931554 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} { include include - #aa:dbus own bus=system name=net.hadess.SwitcherooControl + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 4f6d1b38c..783e58237 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index c77810624..f1e41aa6e 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index a9749c91f..dbe202581 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index f4b01f0e0..08ee1532e 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 6bdb55732..3b18ad36e 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c90665cdf..821a3fd63 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner @{tmp}/** rw, - @{PROC}/@{pids}/maps r, include if exists diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 50b04668b..f668f5a00 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,8 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/@{pids}/net/route r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 4e50430be..6dd12a023 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -4,7 +4,7 @@ # TODO: Rethink this profile. Should not be called by another profile. -abi , +abi , include @@ -30,6 +30,8 @@ profile sysctl @{exec_path} { deny network inet6 stream, deny network inet stream, + /etc/ufw/sysctl.conf r, # Add support for ufw + include if exists } diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ab36047f2..4db5c6f92 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{tmp}/* rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0112b152a..0197e3c3b 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index bd7f276a8..598e59341 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,10 +23,7 @@ profile task @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, + @{editor_path} rCx -> editor, /usr/share/{doc/,}task{warrior,}/** r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index b96200dea..bc2779d51 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -40,13 +40,13 @@ profile tasksel @{exec_path} flags=(complain) { owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include @{lib}/tasksel/tests/* r, @{sh_path} rix, + include if exists } profile frontend flags=(complain) { @@ -76,6 +76,7 @@ profile tasksel @{exec_path} flags=(complain) { /etc/shadow r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui index f125c993d..8a02b8d04 100644 --- a/apparmor.d/profiles-s-z/taskwarrior-tui +++ b/apparmor.d/profiles-s-z/taskwarrior-tui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop similarity index 61% rename from apparmor.d/groups/apps/telegram-desktop rename to apparmor.d/profiles-s-z/telegram-desktop index be043e150..d967f4229 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,15 +11,22 @@ include profile telegram-desktop @{exec_path} { include include - include + include + include + include include + include + include include include + include include include include include + include include + include network inet dgram, network inet6 dgram, @@ -28,27 +35,26 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mrix, + @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, + @{open_path} rPx -> child-open-strict, - @{open_path} rPx -> child-open, - - /usr/share/TelegramDesktop/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{user_share_dirs}/TelegramDesktop/ rw, + owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner @{tmp}/@{hex}-* rwk, - owner @{run}/user/@{uid}/@{hex}-* rwk, - owner /dev/shm/#@{int} rw, + owner @{tmp}/@{hex32}-?@{uuid}? rwk, + audit owner /dev/shm/#@{int} rw, + + @{sys}/kernel/mm/transparent_hugepage/enabled r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 3f9ba6e25..e5a8f80d9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -22,6 +23,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) { ptrace, + signal send set=hup peer=unconfined, + #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index fb848cb1c..33f6fe6dc 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index abea43b61..fe30e6da8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -4,7 +4,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include capability sys_boot, - + #aa:dbus own bus=system name=org.freedesktop.thermald @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index 56a39736e..ddf7e1ff2 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index d6553d990..1ee9f0941 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = thunderbird{,.sh,-bin} +@{name} = thunderbird{,-bin} @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{HOME}/.@{name}/ @{cache_dirs} = @{user_cache_dirs}/@{name}/ @@ -15,60 +15,18 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include + include include - - # userns, - - capability sys_admin, # If kernel.unprivileged_userns_clone = 1 - capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=@{profile_name}, + include #aa:dbus own bus=session name=org.mozilla.thunderbird - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={UserAdded,UserRemoved} - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mrix, - @{sh_path} rix, - @{bin}/which.debianutils rix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/*.so mr, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/thunderbird-wrapper-helper.sh rix, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx, + @{lib_dirs}/vaapitest rPx, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, # GPG integration @@ -77,105 +35,35 @@ profile thunderbird @{exec_path} { @{bin}/gpgsm rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, - # Allowed apps to open - @{bin}/engrampa rPx, - @{bin}/geany rPx, - @{bin}/qpdfview rPx, - @{bin}/viewnior rPUx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, - - /usr/share/@{name}/{,**} r, - /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/lightning/{,**} r, - /usr/share/mozilla/extensions/{,**} r, - /usr/share/xul-ext/kwallet5/* r, - /etc/@{name}/{,**} r, - /etc/fstab r, - /etc/mailcap r, - /etc/mime.types r, - /etc/timezone r, - /etc/xul-ext/kwallet5.js r, - - owner /var/mail/* rwk, - - owner @{HOME}/ r, - - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/mimeapps.list.* rw, + owner /var/mail/** rwk, owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner @{config_dirs}/ rw, - owner @{user_config_dirs}/gtk-3.0/assets/* r, - owner @{config_dirs}/*/ rw, - owner @{config_dirs}/*/** rwk, - owner @{config_dirs}/installs.ini rw, - owner @{config_dirs}/profiles.ini rw, + owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - - owner @{cache_dirs}/{,**} rw, - - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/@{name}{,_*}/ rw, - owner @{tmp}/@{name}{,_*}/* rwk, - owner @{tmp}/* rw, - owner @{tmp}/mozilla_*/ rw, - owner @{tmp}/mozilla_*/* rw, owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/nsemail.eml rw, + owner @{tmp}/nsma rw, + owner @{tmp}/pid-@{pid}/{,**} w, - @{run}/mount/utab r, - - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - - @{PROC}/@{pids}/net/arp r, - @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - - /dev/shm/ r, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - - /dev/tty rw, - - # file_inherit - owner /dev/tty@{int} rw, + /dev/urandom w, # Silencer - deny @{HOME}/.mozilla/** mrwkl, - deny @{config_dirs}/*.*/pepmda/ rw, - deny @{config_dirs}/*.*/pepmda/** rwklmx, + deny capability sys_ptrace, deny @{lib_dirs}/** w, - deny /dev/ r, - deny /dev/urandom w, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny @{lib_dirs}/crashreporter x, + deny @{lib_dirs}/minidump-analyzer x, + deny @{HOME}/.mozilla/** mrwkl, include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 17fda9d56..626896a09 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,6 +16,7 @@ profile thunderbird-glxtest @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 85c1a08cb..c93d14bd7 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{lib_dirs}/vaapitest -profile thunderbird-vaapitest @{exec_path} { +profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 2e44d0fab..8b6f0dc45 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 776b843a3..737bc90f8 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb new file mode 100644 index 000000000..0b35cff02 --- /dev/null +++ b/apparmor.d/profiles-s-z/tomb @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tomb +profile tomb @{exec_path} { + include + include + include + include + include + include + + capability chown, + capability fowner, + capability sys_ptrace, + capability sys_rawio, + + signal send set=cont peer=gpg, + + ptrace read peer=@{p_systemd_user}, + + @{exec_path} mr, + + @{bin}/{,e,f}grep rix, + @{bin}/awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/chown rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dcfldd rix, + @{bin}/dd rix, + @{bin}/df rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/file rix, + @{bin}/findmnt rix, + @{bin}/gawk rix, + @{bin}/getent rix, + @{bin}/gettext rix, + @{bin}/hostname rix, + @{bin}/id rix, + @{bin}/kill rix, + @{bin}/locate rix, + @{bin}/losetup rix, + @{bin}/ls rix, + @{bin}/lsof rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/realpath rix, + @{bin}/recoll rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sha*sum rix, + @{bin}/shred rix, + @{bin}/sleep rix, + @{bin}/stat rix, + @{bin}/sudo rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/zsh rix, + + @{bin}/btrfs rPx, + @{bin}/cryptsetup rPUx, + @{bin}/e2fsc rPUx, + @{bin}/fsck rPx, + @{bin}/gpg{,2} rPx, + @{bin}/lsblk rPx, + @{bin}/mkfs.* rPUx, + @{bin}/mount rPx, + @{bin}/pinentry rPx, + @{bin}/pinentry-* rPx, + @{bin}/qrencode rPx, + @{bin}/resize2fs rPx, + @{bin}/tomb-kdb-pbkdf2 rPUx, + @{bin}/tune2fs rPx, + @{bin}/umount rCx -> umount, + @{bin}/updatedb.mlocate rPx, + @{bin}/zramctl rPx, + + /usr/share/file/** r, + /usr/share/terminfo/** r, + + @{MOUNTDIRS}/ rw, + @{MOUNTS}/ rw, + @{MOUNTS}/** w, + @{MOUNTS}/**/ rw, + owner @{MOUNTS}/.{host,last,tty,uid,cleanexit} rw, + + # TODO: access to tomb files and key. + @{user_private_dirs}/**/*tomb* rw, + + /tmp/ r, + owner @{tmp}/@{int} rw, + owner @{tmp}/@{int}@{int} rw, + owner @{tmp}/zsh@{rand6} rw, + owner @{tmp}/zshm@{rand6} rw, + + @{sys}/devices/virtual/block/zram@{int}/backing_dev r, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + /dev/loop@{int} rw, + + profile umount { + include + include + + capability dac_read_search, + capability sys_admin, + + umount @{MOUNTS}/{,**/}, + + @{bin}/umount mr, + + owner @{run}/mount/utab r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 418accd3c..6a5d272a3 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index fcc4c9b98..c4cb88902 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index 8d75133da..c7c914387 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index ef11ad786..64ab228ba 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,6 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include - include include include include @@ -30,6 +28,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, /usr/share/xml/iso-codes/{,**} r, /usr/share/grilo-plugins/{,**} r, @@ -56,7 +55,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -65,6 +63,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_override, @@ -72,15 +71,19 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, + /usr/share/ladspa/rdf/{,*} r, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, - + include if exists } diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index 673f46e32..ee4de1e45 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission similarity index 63% rename from apparmor.d/profiles-s-z/transmission-gtk rename to apparmor.d/profiles-s-z/transmission index 40586fa03..a6ccb7e2d 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission @@ -2,13 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/transmission-gtk -profile transmission-gtk @{exec_path} { +@{exec_path} = @{bin}/transmission-{gtk,qt} +profile transmission @{exec_path} { include + include + include + include + include + include include include include @@ -23,20 +28,29 @@ profile transmission-gtk @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=com.transmissionbt.Transmission + #aa:dbus own bus=session name=com.transmissionbt.transmission_* + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{exec_path} mr, @{open_path} rPx -> child-open, + /usr/share/transmission/{,**} r, + + owner @{HOME}/ r, + owner @{user_torrents_dirs}/ r, owner @{user_torrents_dirs}/** rw, owner @{user_config_dirs}/transmission/ rw, owner @{user_config_dirs}/transmission/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, + owner @{tmp}/tr_session_id_* rwk, + @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, @@ -45,10 +59,11 @@ profile transmission-gtk @{exec_path} { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt deleted file mode 100644 index bbfe5bff4..000000000 --- a/apparmor.d/profiles-s-z/transmission-qt +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/transmission-qt -profile transmission-qt @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - @{exec_path} mr, - - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, - - owner @{user_config_dirs}/transmission/ rw, - owner @{user_config_dirs}/transmission/** rwk, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/transmission/ rw, - owner @{user_cache_dirs}/transmission/** rwk, - - owner @{tmp}/tr_session_id_* rwk, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/route r, - @{PROC}/sys/kernel/random/uuid r, - - /usr/share/hwdata/pnp.ids r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index d9a8c5409..6f0fdad94 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index ab6a2de77..a26c4a263 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 505017bcd..014955032 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,9 @@ profile udiskie @{exec_path} { @{bin}/python3.@{int} r, @{bin}/ r, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, @@ -35,37 +37,9 @@ profile udiskie @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/spacefm rPx, - # Silencer deny @{lib}/** w, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/spacefm rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info index aa359ef56..855c5b54c 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount index 7e72e9713..a57a6091f 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount index 8dc30eb9a..8fe075f94 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index a05cede9c..6ae685723 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -3,21 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/udisksctl profile udisksctl @{exec_path} { include + include + include + + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd @{exec_path} mr, @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 83561941c..b89d9c72f 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,6 @@ include profile udisksd @{exec_path} flags=(attach_disconnected) { include include - include - include include include @@ -60,9 +58,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom@{int}/, - signal (receive) set=(int) peer=@{p_systemd}, + signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -88,6 +88,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{bin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, + @{bin}/xfs_* rPUx, /etc/crypttab r, /etc/fstab r, @@ -103,11 +104,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/ r, @{run}/mount/utab{,.*} rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, @@ -119,6 +121,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, + @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw new file mode 100644 index 000000000..b7e5f0c79 --- /dev/null +++ b/apparmor.d/profiles-s-z/ufw @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ufw +profile ufw @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability dac_read_search, + capability net_admin, + capability net_raw, + capability sys_ptrace, + + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + ptrace read, + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/cat ix, + @{bin}/env r, + @{bin}/python3.@{int} ix, + @{bin}/sysctl ix, + @{bin}/xtables-legacy-multi ix, + @{bin}/xtables-nft-multi ix, + @{lib}/ufw/ufw-init ix, + + /etc/default/ufw rw, + /etc/ufw/ rw, + /etc/ufw/** rwk, + + @{run}/xtables.lock rwk, + owner @{run}/ufw.lock rwk, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8} rw, + owner /var/tmp/@{word8} rw, + owner /var/tmp/tmp@{word8} rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index e066dff89..66fae00bb 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 index 2a6f7747d..4e842c7fb 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 4dd41a7bf..45a864c23 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,11 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, deny network, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index d03561452..0d543513c 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index 1277e299c..730d1aaa6 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index e503f639a..ecc19849a 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index bb54d19b1..c4b30b884 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index c24da3bab..85b99b8ab 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index d5d1cb953..6b5607ed1 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index dfe7725d8..a83e985d7 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index f08383fba..b87f60ec4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 8b69cd1f4..c0f220919 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 56c215402..f1bf99bf8 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 6b4192903..9bef23a77 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 08687c6c8..c0e64f0f9 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,6 +58,7 @@ profile update-dlocatedb @{exec_path} { @{bin}/gzip rix, /var/lib/dlocate/dlocatedb.gz rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index fc62d99f2..6948f2812 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 233ed60be..d2e36ead0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,7 +38,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, - # For shell pwd + # For shell pwd /root/ r, @@ -62,6 +62,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/pci.ids.new w, /usr/share/misc/pci.ids.gz.new w, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 8431fd1e6..e5ffca44f 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 7140bbd5b..2ce61cebf 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,6 +58,7 @@ profile update-smart-drivedb @{exec_path} { owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw, owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**, + include if exists } profile browse { @@ -88,6 +89,7 @@ profile update-smart-drivedb @{exec_path} { /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 9e470d878..7a951b7e7 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 67ea546fd..60aa760d4 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index 1b28a07da..904ebe415 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index a850d7771..7e978c1dd 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 94e6526ab..c67b78faf 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index deb5ef46d..798352c89 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index bc004b86f..a76398dd9 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index 674da7ad4..1fb97459d 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus index b02524d55..d406d5262 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier index 48f88d0aa..963fcb2e8 100644 --- a/apparmor.d/profiles-s-z/usbguard-notifier +++ b/apparmor.d/profiles-s-z/usbguard-notifier @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index a6094867a..42ab87607 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 6b95a4848..05df64874 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index cfcdc6bdc..c0f8f0e45 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users index fbad304bf..67d7a83e7 100644 --- a/apparmor.d/profiles-s-z/users +++ b/apparmor.d/profiles-s-z/users @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 054bb69ce..363524355 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index e5642c263..483fef619 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index c98d8175f..69f28da32 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen index b00ed1f26..56e8abef9 100644 --- a/apparmor.d/profiles-s-z/uuidgen +++ b/apparmor.d/profiles-s-z/uuidgen @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index f49441ebf..8858a80f1 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -50,7 +50,7 @@ profile uupdate @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 37422840c..25f4a979f 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt new file mode 100644 index 000000000..6612846cd --- /dev/null +++ b/apparmor.d/profiles-s-z/veracrypt @@ -0,0 +1,96 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/veracrypt +profile veracrypt @{exec_path} { + include + include + include + include + include + include + include + include + + capability chown, + capability dac_read_search, + capability fsetid, + capability sys_admin, + capability sys_ptrace, + + mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/, + + @{exec_path} mrix, + + @{sh_path} rix, + @{open_path} rPx -> child-open-help, + @{bin}/dmsetup rPx, + @{bin}/grep rix, + @{bin}/kmod rix, + @{bin}/ldconfig rix, + @{bin}/losetup rCx -> losetup, + @{bin}/mount rPx, + @{bin}/sudo rix, + @{bin}/umount rCx -> umount, + @{bin}/wc rix, + @{file_explorers_path} rPx, + + /home/ r, + + # Mount points + @{MOUNTS}/ rw, + @{MOUNTS}/*/ rw, + + owner @{HOME}/ r, + owner @{HOME}/.VeraCrypt-lock-@{user} rwk, + + owner @{user_config_dirs}/VeraCrypt/ rw, + owner @{user_config_dirs}/VeraCrypt/** rwk, + + /tmp/.veracrypt_*/ rw, + /tmp/.veracrypt_*/** rwk, + + @{sys}/module/compression r, + @{sys}/module/dm_mod/initstate r, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + /dev/tty rw, + + profile umount { + include + + capability sys_admin, + + umount /tmp/.veracrypt_*/, + umount @{MOUNTS}/{,*/}, + + @{bin}/umount mr, + + owner @{run}/mount/utab r, + + include if exists + } + + profile losetup { + include + include + + capability sys_rawio, + + @{bin}/losetup mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop new file mode 100644 index 000000000..a3c3f5a03 --- /dev/null +++ b/apparmor.d/profiles-s-z/vesktop @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , +include + +@{name} = vesktop +@{lib_dirs} = @{lib}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/vesktop +profile vesktop @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open, + + owner /tmp/.org.chromium.Chromium.@{rand6} mr, + owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + owner /dev/ r, + + deny /dev/tty rw, + deny owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 226a0dd98..283eab051 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 835267c2d..50ada1d64 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,7 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, /etc/login.defs r, @@ -37,7 +35,6 @@ profile vipw-vigr @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, - profile editor { include include @@ -45,6 +42,8 @@ profile vipw-vigr @{exec_path} { capability fsetid, /etc/{passwd,shadow,gshadow,group}.edit rw, + + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index c1bd7fbde..bce236989 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,7 +46,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, /usr/share/gtksourceview-4/{,**} r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -61,15 +60,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/libnl/classid r, - owner @{HOME}/ r, - owner @{user_cache_dirs}/virt-manager/{,**} rw, + # System VM images + /var/lib/libvirt/images/{,**} rw, # For disk images @{MOUNTS}/ r, @{user_img_dirs}/{,**} r, - # System VM images - /var/lib/libvirt/images/{,**} rw, + owner @{HOME}/ r, + owner @{user_cache_dirs}/virt-manager/{,**} rw, # User VM images owner @{user_share_dirs}/ r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index b5ea8b272..d572ce9b8 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -56,7 +56,6 @@ profile vlc @{exec_path} { owner @{user_torrents_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/vlc/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -76,6 +75,13 @@ profile vlc @{exec_path} { @{run}/mount/utab r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index b464f1712..1c089b0f8 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index 25bdcfb1b..b780eb8d1 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index c37c8b6d7..1270ecf42 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index c58381d7d..e354c3cbd 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index aa45b805e..2b6af3561 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index a3fc8c9e3..3745015c1 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index b4601147a..1a0e33418 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -3,7 +3,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index 9ec082580..6c2fee4df 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index d5116b043..8499a1ad6 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -1,15 +1,17 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/waybar profile waybar @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include @@ -20,11 +22,22 @@ profile waybar @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/** rPUx, - @{user_bin_dirs}/** rPUx, + /etc/machine-id r, owner @{user_config_dirs}/waybar/{,**} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/system/cpu/present r, + + @{PROC}/@{pid}/net/dev r, + @{PROC}/spl/kstat/zfs/arcstats r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/rfkill r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal new file mode 100644 index 000000000..9d563111a --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-universal +@{lib_dirs} = /opt/wechat-universal/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat +profile wechat-universal @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mrix, + + @{sh_path} rix, + @{lib}/wechat-universal/common.sh ix, + @{bin}/sed ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/lsblk Px, + @{bin}/bwrap rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} rPx -> child-open-strict, + + /etc/lsb-release r, + + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{HOME}/.xwechat/{,**} rwk, + owner @{HOME}/.sys1og.conf rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, + + @{PROC}/@{pid}/net/route r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet new file mode 100644 index 000000000..861908a6b --- /dev/null +++ b/apparmor.d/profiles-s-z/wemeet @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wemeet +@{exec_path} += /opt/wemeet/bin/wemeetapp +@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess +profile wemeet @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename rix, + @{bin}/bwrap rix, + @{bin}/id rix, + @{bin}/mkdir rix, + /opt/wemeet/bin/** rix, + + /etc/machine-id r, + /var/cache/ w, + + owner @{user_share_dirs}/wemeetapp/ rw, + owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, + + @{PROC}/ r, + @{PROC}/asound/ r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + + /dev/ r, + /dev/tty rw, + /dev/shm/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index e99900304..43fa8ff09 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index e5e111b8b..cc4ae2959 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index 330957a62..32d4ffa51 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,10 +27,10 @@ profile whereis @{exec_path} { /usr/src/{**,} r, /opt/ r, - /opt/cni/bin/ r, - /opt/containerd/bin/ r, + /opt/**/bin/ r, + /opt/**/lib/ r, - /etc/ r, + @{etc_ro}/ r, /snap/bin/ r, /var/lib/flatpak/exports/bin/ r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 32d0945e1..855db3f4b 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f2339717a..a7b98ebee 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who index bed53e7e6..3da07f89d 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/profiles-s-z/who @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,6 +19,7 @@ profile who @{exec_path} { @{exec_path} mr, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index 3072d7da0..3fc9e26b4 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 6b8bca6c0..87b4e27ca 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,7 +24,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index ed8fd0efa..c29543d6b 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -4,7 +4,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index a71e4cbd9..1b4ae7501 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index 47a17669d..51feb0071 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 3495849e7..136caa781 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 5edd2f177..c9987fa01 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index ceefecbf2..fd10713cc 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -3,27 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wpa_gui profile wpa-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index f3da61258..23f77f840 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 1ee5bd806..7de522fc8 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 56a852d11..22713e3bf 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index a5ec89fd9..003770008 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -42,7 +42,9 @@ profile xarchiver @{exec_path} { # For deb packages @{bin}/{,@{multiarch}-}ar rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, @@ -58,46 +60,12 @@ profile xarchiver @{exec_path} { /tmp/ r, owner @{tmp}/** rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index f051fdc0c..e1a4199db 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xauth profile xauth @{exec_path} { include + include include @{exec_path} mr, @@ -35,6 +36,7 @@ profile xauth @{exec_path} { owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6}-c w, owner @{tmp}/xauth_@{rand6}-l wl, + owner @{tmp}/xauth.@{rand10}-c w, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index 89de67bd1..cb9426583 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index 19eb4a9f3..b2be0446b 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index dc30114bd..f40b4fa6b 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -2,21 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include + include network inet stream, network inet6 stream, @{exec_path} mr, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 378e8cae3..cdb68ed70 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -3,21 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include + include include network unix stream, @{exec_path} mr, - deny /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 902905d09..169851550 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xeyes b/apparmor.d/profiles-s-z/xeyes new file mode 100644 index 000000000..c602e7fce --- /dev/null +++ b/apparmor.d/profiles-s-z/xeyes @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xeyes +profile xeyes @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 521a182ba..0801ac188 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index 18eab6a78..c88210cca 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp new file mode 100644 index 000000000..41ac0b973 --- /dev/null +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xsane-gimp +profile xsane-gimp @{exec_path} { + include + include + include + + signal (receive) set=(term, kill) peer=gimp, + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, + @{system_share_dirs}/sane/xsane/{,**} r, + @{system_share_dirs}/snmp/mibs/{,**} r, # network + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, + owner @{tmp}/xsane-*-@{rand6} rw, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, + + # SCSI + @{sys}/bus/scsi/devices/ r, + @{PROC}/scsi/scsi r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 5f97c83f3..05b93fed9 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index bb896bd8c..15599fa72 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/yadifad diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 85da6bfe0..781e24768 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 1c405e8fe..46b0c6c06 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,12 +32,6 @@ profile youtube-viewer @{exec_path} { @{bin}/wget rCx -> wget, - owner @{user_config_dirs}/youtube-viewer/{,*} rw, - owner @{user_cache_dirs}/youtube-viewer/{,*} rw, - owner @{HOME}/Downloads/youtube-viewer/{,*} rw, - - /etc/inputrc r, - # Players @{bin}/mpv rPUx, @{bin}/vlc rPUx, @@ -45,6 +39,11 @@ profile youtube-viewer @{exec_path} { @{bin}/ffmpeg rPUx, + /etc/inputrc r, + + owner @{user_config_dirs}/youtube-viewer/{,*} rw, + owner @{user_cache_dirs}/youtube-viewer/{,*} rw, + owner @{HOME}/Downloads/youtube-viewer/{,*} rw, profile wget { include @@ -62,6 +61,7 @@ profile youtube-viewer @{exec_path} { owner @{HOME}/.wget-hsts r, owner @{HOME}/wget-log{,.@{int}} rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index c71b87efd..551a8edf4 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 230e15f80..81ccfc284 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index b055fe31b..5d0d1a745 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -2,11 +2,11 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/zathura +@{exec_path} = @{bin}/zathura{,-sandbox} profile zathura @{exec_path} { include include @@ -18,11 +18,13 @@ profile zathura @{exec_path} { @{exec_path} mr, /usr/share/file/{,**} r, + /usr/share/poppler/{,**} r, /etc/xdg/{,**} r, /etc/zathurarc r, owner @{user_config_dirs}/zathura/** r, + owner @{user_share_dirs}/zathura/ r, owner @{user_share_dirs}/zathura/** rwk, owner @{tmp}/gtkprint* rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index c966ce839..048f2410c 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index bc4090be8..59a8d772e 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 9538b9c13..9ba71f45b 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 7d12cf3b7..2cb997fd7 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 653690898..cbf48ba4f 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index c325e216d..30a17a6ad 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,8 +37,6 @@ profile zsysd @{exec_path} flags=(complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/spl/hostid r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/pts/@{int} rw, /dev/zfs rw, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c23a8d956..f1be9acbe 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -52,7 +52,6 @@ # User build directories and output @{user_build_dirs}="/tmp/build/" @{user_pkg_dirs}="/tmp/pkg/" -@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ @{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions new file mode 100644 index 000000000..956e8c253 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -0,0 +1,648 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +# Define commonly used extensions + +# All variables that refer to an extension must have the `_ext` suffix. + +# Packages +@{package_ext} = [aA][bB][bB] # abb +@{package_ext} += [aA][pP][kK] # apk +@{package_ext} += [aA][pP][pP][xX] # appx +@{package_ext} += [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] # appxbundle +@{package_ext} += [cC][rR][xX] # crx +@{package_ext} += [dD][eE][bB] # deb +@{package_ext} += [eE][mM][sS][iI][xX] # emsix +@{package_ext} += [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # emsixbundle +@{package_ext} += [jJ][aA][rR] # jar +@{package_ext} += [mM][pP][kK][gG] # mpkg +@{package_ext} += [mM][sS][iI] # msi +@{package_ext} += [mM][sS][iI][xX] # msix +@{package_ext} += [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # msixbundle +@{package_ext} += [pP][kK][gG] # pkg +@{package_ext} += [pP][kK][gG].[tT][aA][rR]{,[zZ][sS][tT]} # pkg.tar{,.zst} +@{package_ext} += [rR][pP][mM] # rpm +@{package_ext} += [tT][gG][zZ] # tgz + +# Disk images +@{diskimage_ext} = [aA][dD][fF] # adf +@{diskimage_ext} += [aA][dD][zZ] # adz +@{diskimage_ext} += [bB][wW][tT] # bwt +@{diskimage_ext} += [cC][iI][fF] # cif +@{diskimage_ext} += [cC][uU][eE] # cue +@{diskimage_ext} += [cC][dD][iI] # cdi +@{diskimage_ext} += [bB]5[tT] # b5t +@{diskimage_ext} += [bB]6[tT] # b6t +@{diskimage_ext} += [dD][aA][aA] # daa +@{diskimage_ext} += [dD][mM][gG] # dmg +@{diskimage_ext} += [dD][mM][sS] # dms +@{diskimage_ext} += [dD][sS][kK] # dsk +@{diskimage_ext} += [dD]64 # d64 +@{diskimage_ext} += [iI][sS][oO] # iso +@{diskimage_ext} += [iI][mM][gG] # img +@{diskimage_ext} += [iI][mM][aA] # ima +@{diskimage_ext} += [nN][rR][gG] # nrg +@{diskimage_ext} += [mM][dD][fF] # mdf +@{diskimage_ext} += [mM][dD][sS] # mds +@{diskimage_ext} += [mM][dD][xX] # mdx +@{diskimage_ext} += [pP][aA][rR][tT][iI][mM][gG] # partimg +@{diskimage_ext} += [sS][dD][iI] # sdi +@{diskimage_ext} += [wW][iI][mM] # wim +@{diskimage_ext} += [sS][wW][mM] # swm +@{diskimage_ext} += [eE][sS][dD] # esd + +# Archives +@{archive_ext} = @{diskimage_ext} @{package_ext} +@{archive_ext} += ??_ # ??_ +@{archive_ext} += ?[qQ]? # ?q? +@{archive_ext} += ?[zZ]? # ?z? +@{archive_ext} += [aA] # a +@{archive_ext} += [aA][aA][rR] # aar +@{archive_ext} += [aA][cC][eE] # ace +@{archive_ext} += [aA][fF][aA] # afa +@{archive_ext} += [aA][lL][zZ] # alz +@{archive_ext} += [aA][rR] # ar +@{archive_ext} += [aA][rR][cC] # arc +@{archive_ext} += [aA][rR][jJ] # arj +@{archive_ext} += [bB][aA][hH] # bah +@{archive_ext} += [bB][aA][rR] # bar +@{archive_ext} += [bB][rR] # br +@{archive_ext} += [bB][zZ]2 # bz2 +@{archive_ext} += [bB]1 # b1 +@{archive_ext} += [bB]6[zZ] # b6z +@{archive_ext} += [cC][aA][bB] # cab +@{archive_ext} += [cC][aA][rR] # car +@{archive_ext} += [cC][dD][xX] # cdx +@{archive_ext} += [cC][fF][sS] # cfs +@{archive_ext} += [cC][pP][iI][oO] # cpio +@{archive_ext} += [dD][aA][rR] # dar +@{archive_ext} += [dD][gG][cC] # dgc +@{archive_ext} += [eE][aA][rR] # ear +@{archive_ext} += [gG][cC][aA] # gca +@{archive_ext} += [gG][eE][nN][oO][zZ][iI][pP] # genozip +@{archive_ext} += [gG][zZ] # gz +@{archive_ext} += [hH][aA] # ha +@{archive_ext} += [hH][kK][iI] # hki +@{archive_ext} += [iI][cC][eE] # ice +@{archive_ext} += [iI][oO] # io +@{archive_ext} += [kK][gG][bB] # kgb +@{archive_ext} += [lL][bB][rR] # lbr +@{archive_ext} += [lL][hH][aA] # lha +@{archive_ext} += [lL][pP][aA][qQ]@{int} # lpaq@{int} +@{archive_ext} += [lL][zZ] # lz +@{archive_ext} += [lL][zZ][hH] # lzh +@{archive_ext} += [lL][zZ][mM][aA] # lzma +@{archive_ext} += [lL][zZ][oO] # lzo +@{archive_ext} += [lL][zZ][xX] # lzx +@{archive_ext} += [mM][aA][rR] # mar +@{archive_ext} += [pP][aA][kK] # pak +@{archive_ext} += [pP][aA][qQ]@{int} # paq@{int} +@{archive_ext} += [pP][aA][rR] # par +@{archive_ext} += [pP][aA][rR]2 # par2 +@{archive_ext} += [pP][aA][xX] # pax +@{archive_ext} += [pP][eE][aA] # pea +@{archive_ext} += [pP][hH][aA][rR] # phar +@{archive_ext} += [pP][iI][mM] # pim +@{archive_ext} += [pP][iI][tT] # pit +@{archive_ext} += [pP][kK][aA] # pka +@{archive_ext} += [pP][mM][aA] # pma +@{archive_ext} += [pP][sS][tT] # pst +@{archive_ext} += [qQ][dD][aA] # qda +@{archive_ext} += [rR][aA][rR] # rar +@{archive_ext} += [rR][kK] # rk +@{archive_ext} += [rR][uU][nN] # run +@{archive_ext} += [rR][zZ] # rz +@{archive_ext} += [rR]@{int} # r@{int} +@{archive_ext} += [sS][bB][xX] # sbx +@{archive_ext} += [sS][dD][aA] # sda +@{archive_ext} += [sS][eE][aA] # sea +@{archive_ext} += [sS][eE][nN] # sen +@{archive_ext} += [sS][fF][aA][rR][kK] # sfark +@{archive_ext} += [sS][fF][xX] # sfx +@{archive_ext} += [sS][hH][aA][rR] # shar +@{archive_ext} += [sS][hH][kK] # shk +@{archive_ext} += [sS][iI][tT] # sit +@{archive_ext} += [sS][iI][tT][xX] # sitx +@{archive_ext} += [sS][qQ][sS] # sqs +@{archive_ext} += [sS][zZ] # sz +@{archive_ext} += [sS]7[zZ] # s7z +@{archive_ext} += [tT][aA][rR] # tar +@{archive_ext} += [tT][aA][rR].[bB][zZ]2 # tar.bz2 +@{archive_ext} += [tT][aA][rR].[gG][zZ] # tar.gz +@{archive_ext} += [tT][aA][rR].[lL][zZ] # tar.lz +@{archive_ext} += [tT][aA][rR].[lL][zZ][mM][aA] # tar.lzma +@{archive_ext} += [tT][aA][rR].[xX][zZ] # tar.xz +@{archive_ext} += [tT][aA][rR].[zZ] # tar.z +@{archive_ext} += [tT][aA][rR].[zZ][sS][tT] # tar.zst +@{archive_ext} += [tT][gG][zZ] # tgz +@{archive_ext} += [tT][lL][zZ] # tlz +@{archive_ext} += [tT][xX][zZ] # txz +@{archive_ext} += [uU][cC] # uc +@{archive_ext} += [uU][cC][aA] # uca +@{archive_ext} += [uU][cC][nN] # ucn +@{archive_ext} += [uU][cC]0 # uc0 +@{archive_ext} += [uU][cC]2 # uc2 +@{archive_ext} += [uU][eE]2 # ue2 +@{archive_ext} += [uU][hH][aA] # uha +@{archive_ext} += [uU][rR]2 # ur2 +@{archive_ext} += [wW][aA][rR] # war +@{archive_ext} += [xX][aA][rR] # xar +@{archive_ext} += [xX][pP]3 # xp3 +@{archive_ext} += [xX][zZ] # xz +@{archive_ext} += [yY][zZ]1 # yz1 +@{archive_ext} += [zZ][iI][pP] # zip +@{archive_ext} += [zZ][iI][pP][xX] # zipx +@{archive_ext} += [zZ][oO][oO] # zoo +@{archive_ext} += [zZ][pP][aA][qQ] # zpaq +@{archive_ext} += [zZ][sS][tT] # zst +@{archive_ext} += [zZ][zZ] # zz +@{archive_ext} += 7[zZ] # 7z + +# Audio +@{audio_ext} = [aA][aA][cC] # aac +@{audio_ext} += [aA][aA][lL] # aal +@{audio_ext} += [aA][aA]3 # aa3 +@{audio_ext} += [aA][cC][nN] # acn +@{audio_ext} += [aA][cC]3 # ac3 +@{audio_ext} += [aA][dD][tT][sS] # adts +@{audio_ext} += [aA][iI][fF] # aif +@{audio_ext} += [aA][iI][fF][cC] # aifc +@{audio_ext} += [aA][iI][fF][fF] # aiff +@{audio_ext} += [aA][lL][aA][cC] # alac +@{audio_ext} += [aA][mM][rR] # amr +@{audio_ext} += [aA][sS][sS] # ass +@{audio_ext} += [aA][tT][xX] # atx +@{audio_ext} += [aA][uU] # au +@{audio_ext} += [aA][wW][bB] # awb +@{audio_ext} += [aA][xX][aA] # axa +@{audio_ext} += [dD][lL][sS] # dls +@{audio_ext} += [dD][tT][sS] # dts +@{audio_ext} += [dD][tT][sS][hH][dD] # dtshd +@{audio_ext} += [eE][cC][eE][lL][pP]4800 # ecelp4800 +@{audio_ext} += [eE][cC][eE][lL][pP]7470 # ecelp7470 +@{audio_ext} += [eE][cC][eE][lL][pP]9600 # ecelp9600 +@{audio_ext} += [eE][nN][wW] # enw +@{audio_ext} += [eE][oO][lL] # eol +@{audio_ext} += [eE][vV][bB] # evb +@{audio_ext} += [eE][vV][cC] # evc +@{audio_ext} += [eE][vV][wW] # wvw +@{audio_ext} += [fF][lL][aA][cC] # flac +@{audio_ext} += [kK][aA][rR] # kar +@{audio_ext} += [kK][oO][zZ] # koz +@{audio_ext} += [lL][bB][cC] # lbc +@{audio_ext} += [lL][oO][aA][sS] # loas +@{audio_ext} += [lL][vV][pP] # lvp +@{audio_ext} += [lL]16 # l16 +@{audio_ext} += [mM][eE][dD] # med +@{audio_ext} += [mM][hH][aA][sS] # mhas +@{audio_ext} += [mM][iI][dD] # mid +@{audio_ext} += [mM][iI][dD][iI] # midi +@{audio_ext} += [mM][kK][aA] # mka +@{audio_ext} += [mM][lL][pP] # mlp +@{audio_ext} += [mM][oO][dD] # mod +@{audio_ext} += [mM][pP][gG][aA] # mpga +@{audio_ext} += [mM][pP]1 # mp1 +@{audio_ext} += [mM][pP]2 # mp2 +@{audio_ext} += [mM][pP]3 # mp3 +@{audio_ext} += [mM][tT][mM] # mtm +@{audio_ext} += [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] # multitrack +@{audio_ext} += [mM][xX][mM][fF] # mxmf +@{audio_ext} += [mM]15 # m15 +@{audio_ext} += [mM]3[uU] # m3u +@{audio_ext} += [mM]4[aA] # m4a +@{audio_ext} += [oO][gG] # og +@{audio_ext} += [oO][gG][aA] # oga +@{audio_ext} += [oO][mM][gG] # omg +@{audio_ext} += [oO][pP][uU][sS] # opus +@{audio_ext} += [pP][lL][jJ] # plj +@{audio_ext} += [pP][sS][iI][dD] # psid +@{audio_ext} += [pP][yY][aA] # pya +@{audio_ext} += [qQ][cC][pP] # qcp +@{audio_ext} += [rR][aA] # ra +@{audio_ext} += [rR][aA][mM] # ram +@{audio_ext} += [rR][iI][pP] # rip +@{audio_ext} += [rR][mM] # rm +@{audio_ext} += [sS][iI][dD] # sid +@{audio_ext} += [sS][mM][pP] # smp +@{audio_ext} += [sS][mM][pP]3 # smp3 +@{audio_ext} += [sS][mM][vV] # smv +@{audio_ext} += [sS][nN][dD] # snd +@{audio_ext} += [sS][oO][fF][aA] # sofa +@{audio_ext} += [sS][pP][xX] # spx +@{audio_ext} += [sS][tT][mM] # stm +@{audio_ext} += [sS]1[mM] # s1m +@{audio_ext} += [sS]3[mM] # s3m +@{audio_ext} += [uU][lL][tT] # ult +@{audio_ext} += [uU][nN][iI] # uni +@{audio_ext} += [uU][vV][aA] # uva +@{audio_ext} += [uU][vV][vV][aA] # uvva +@{audio_ext} += [vV][bB][kK] # vbk +@{audio_ext} += [wW][aA][vV] # wav +@{audio_ext} += [wW][aA][xX] # wax +@{audio_ext} += [wW][mM][aA] # wma +@{audio_ext} += [xX][hH][eE] # xhe +@{audio_ext} += 669 # 669 + +# Lyrics +@{lyrics_ext} = [lL][rR][cC] # lrc +@{lyrics_ext} += [lL][yY][rR][iI][cC] # lyric + +# Videos +@{video_ext} = [aA][sS][xX] # asx +@{video_ext} += [aA][vV][iI] # avi +@{video_ext} += [aA][xX][vV] # axv +@{video_ext} += [bB][iI][kK] # bik +@{video_ext} += [bB][kK]2 # bk2 +@{video_ext} += [dD][vV][bB] # dvb +@{video_ext} += [fF][lL][vV] # flv +@{video_ext} += [fF][vV][tT] # fvt +@{video_ext} += [fF][xX][mM] # fxm +@{video_ext} += [mM][jJ][pP]2 # mjp2 +@{video_ext} += [mM][jJ]2 # mj2 +@{video_ext} += [mM][kK][vV] # mkv +@{video_ext} += [mM][kK]3[dD] # mk3d +@{video_ext} += [mM][oO][vV] # mov +@{video_ext} += [mM][pP][eE] # mpe +@{video_ext} += [mM][pP][eE][gG] # mpeg +@{video_ext} += [mM][pP][gG] # mpg +@{video_ext} += [mM][pP][gG]4 # mpg4 +@{video_ext} += [mM][pP]4 # mp4 +@{video_ext} += [mM][xX][uU] # mxu +@{video_ext} += [mM]1[vV] # m1v +@{video_ext} += [mM]2[vV] # m2v +@{video_ext} += [mM]4[sS] # m4s +@{video_ext} += [mM]4[uU] # m4u +@{video_ext} += [mM]4[vV] # m4v +@{video_ext} += [nN][iI][mM] # nim +@{video_ext} += [oO][gG][vV] # ogv +@{video_ext} += [pP][yY][vV] # pyv +@{video_ext} += [qQ][tT] # qt +@{video_ext} += [sS][mM][kK] # smk +@{video_ext} += [sS][mM][oO] # smo +@{video_ext} += [sS][mM][pP][gG] # smpg +@{video_ext} += [sS][sS][mM][oO][vV] # ssmov +@{video_ext} += [sS][sS][wW][fF] # sswf +@{video_ext} += [sS]1[qQ] # s1q +@{video_ext} += [sS]11 # s11 +@{video_ext} += [sS]14 # s14 +@{video_ext} += [uU][vV][hH] # uvh +@{video_ext} += [uU][vV][mM] # uvm +@{video_ext} += [uU][vV][pP] # uvp +@{video_ext} += [uU][vV][sS] # uvs +@{video_ext} += [uU][vV][uU] # uvu +@{video_ext} += [uU][vV][vV][hH] # uvvh +@{video_ext} += [uU][vV][vV][mM] # uvvm +@{video_ext} += [uU][vV][vV][pP] # uvvp +@{video_ext} += [uU][vV][vV][sS] # uvvs +@{video_ext} += [uU][vV][vV][uU] # uvvu +@{video_ext} += [uU][vV][vV][vV] # uvv +@{video_ext} += [vV][iI][vV] # viv +@{video_ext} += [wW][eE][bB][mM] # webm +@{video_ext} += [wW][mM] # wm +@{video_ext} += [wW][mM][vV] # wmv +@{video_ext} += [wW][mM][xX] # wmx +@{video_ext} += [wW][vV][xX] # wvx +@{video_ext} += [yY][tT] # yt +@{video_ext} += 3[gG][pP] # 3gp +@{video_ext} += 3[gG][pP][pP] # 3gpp +@{video_ext} += 3[gG][pP][pP]2 # 3gpp2 +@{video_ext} += 3[gG]2 # 3g2 + +# Subtitles +@{suntitles_ext} = [aA][qQ][tT] # aqt +@{suntitles_ext} += [aA][sS][sS] # ass +@{suntitles_ext} += [gG][sS][uU][bB] # gsub +@{suntitles_ext} += [uU][sS][fF] # usf +@{suntitles_ext} += [pP][aA][cC] # pac +@{suntitles_ext} += [pP][jJ][sS] # pjs +@{suntitles_ext} += [pP][sS][bB] # psb +@{suntitles_ext} += [rR][tT] # rt +@{suntitles_ext} += [sS][bB][vV] # sbv +@{suntitles_ext} += [sS][mM][iI] # smi +@{suntitles_ext} += [sS][rR][tT] # srt +@{suntitles_ext} += [sS][sS][aA] # ssa +@{suntitles_ext} += [sS][sS][fF] # ssf +@{suntitles_ext} += [sS][tT][lL] # stl +@{suntitles_ext} += [sS][uU][bB] # sub +@{suntitles_ext} += [tT][t][mM][lL] # ttml +@{suntitles_ext} += [tT][t][xX][tT] # ttxt +@{suntitles_ext} += [vV][tT][t] # vtt + +# Images +@{image_ext} = [aA][pP][nN][gG] # apng +@{image_ext} += [aA][vV][cC][iI] # avci +@{image_ext} += [aA][vV][cC][sS] # avcs +@{image_ext} += [aA][vV][iI][fF] # avif +@{image_ext} += [aA][zZ][vV] # azv +@{image_ext} += [bB][mM][pP] # bmp +@{image_ext} += [bB][tT][fF] # btf +@{image_ext} += [bB][tT][iI][fF] # btif +@{image_ext} += [bB]16 # b16 +@{image_ext} += [cC][gG][mM] # cgm +@{image_ext} += [dD][iI][bB] # dib +@{image_ext} += [dD][jJ][vV] # djv +@{image_ext} += [dD][jJ][vV][uU] # djvu +@{image_ext} += [dD][pP][xX] # dpx +@{image_ext} += [dD][rR][lL][eE] # drle +@{image_ext} += [dD][wW][gG] # dwg +@{image_ext} += [dD][xX][fF] # dxf +@{image_ext} += [eE][mM][fF] # emf +@{image_ext} += [eE][xX][rR] # exr +@{image_ext} += [fF][bB][sS] # fbs +@{image_ext} += [fF][iI][tT] # fit +@{image_ext} += [fF][iI][tT][sS] # fits +@{image_ext} += [fF][pP][xX] # fpx +@{image_ext} += [fF][sS][tT] # fst +@{image_ext} += [fF][tT][sS] # fts +@{image_ext} += [gG][iI][fF] # gif +@{image_ext} += [hH][dD][rR] # hdr +@{image_ext} += [hH][eE][iI][cC] # heic +@{image_ext} += [hH][eE][iI][cC][sS][hH][eE][iI][fF] # heics +@{image_ext} += [hH][eE][iI][fF][sS] # heif +@{image_ext} += [hH][eE][jJ]2 # heifs +@{image_ext} += [hH][iI][fF] # hif +@{image_ext} += [hH][sS][jJ]2 # hsj2 +@{image_ext} += [iE][eE][fF] # ief +@{image_ext} += [iI][cC][oO] # ico +@{image_ext} += [jJ][fF][iI][fF] # jfif +@{image_ext} += [jJ][hH][cC] # jhc +@{image_ext} += [jJ][lL][sS] # jls +@{image_ext} += [jJ][pP][eE][gG] # jpeg +@{image_ext} += [jJ][pP][fF] # jpf +@{image_ext} += [jJ][pP][gG] # jpg +@{image_ext} += [jJ][pP][gG][mM] # jpgm +@{image_ext} += [jJ][pP][gG]2 # jpg2 +@{image_ext} += [jJ][pP][hH] # jph +@{image_ext} += [jJ][pP][mM] # jpm +@{image_ext} += [jJ][pP][xX] # jpx +@{image_ext} += [jJ][pP]2 # jp2 +@{image_ext} += [jJ][xX][lL] # jxl +@{image_ext} += [jJ][xX][rR] # jxr +@{image_ext} += [jJ][xX][rR][aA] # jxra +@{image_ext} += [jJ][xX][rR][sS] # jxrs +@{image_ext} += [jJ][xX][sS][cC] # jxsc +@{image_ext} += [jJ][xX][sS][iI] # jxsi +@{image_ext} += [jJ][xX][sS][sS] # jxss +@{image_ext} += [kK][tT][xX] # ktx +@{image_ext} += [kK][tT][xX]2 # ktx2 +@{image_ext} += [mM][dD][iI] # mdi +@{image_ext} += [mM][mM][rR] # mmr +@{image_ext} += [pP][bB][mM] # pbm +@{image_ext} += [pP][cC][xX] # pcx +@{image_ext} += [pP][gG][bB] # pgb +@{image_ext} += [pP][gG][mM] # pgm +@{image_ext} += [pP][nN][gG] # png +@{image_ext} += [pP][nN][mM] # pnm +@{image_ext} += [pP][pP][mM] # ppm +@{image_ext} += [pP][sS][dD] # psd +@{image_ext} += [pP][sS][dD][cC] # psdc +@{image_ext} += [pP][tT][iI] # pti +@{image_ext} += [rR][aA][sS] # ras +@{image_ext} += [rR][gG][bB] # rgb +@{image_ext} += [rR][gG][bB][eE] # rgbe +@{image_ext} += [rR][lL][cC] # rlc +@{image_ext} += [sS][gG][iI] # sgi +@{image_ext} += [sS][gG]1[gG] # s1g +@{image_ext} += [sS][jJ][pP] # sjp +@{image_ext} += [sS][jJ][pP][gG] # sjpg +@{image_ext} += [sS][pP][nN] # spn +@{image_ext} += [sS][pP][nN][gG] # spng +@{image_ext} += [sS][vV][gG] # svg +@{image_ext} += [sS][vV][gG][zZ] # svgz +@{image_ext} += [sS]1[jJ] # s1j +@{image_ext} += [sS]1[nN] # s1n +@{image_ext} += [tT][aA][pP] # tap +@{image_ext} += [tT][gG][aA] # tga +@{image_ext} += [tT][iI][fF] # tif +@{image_ext} += [tT][iI][fF][fF] # tiff +@{image_ext} += [tT]38 # t38 +@{image_ext} += [uU][vV][gG] # uvg +@{image_ext} += [uU][vV][iI] # uvi +@{image_ext} += [uU][vV][vV][gG] # uvvg +@{image_ext} += [uU][vV][vV][iI] # uvvi +@{image_ext} += [vV][bB][mM] # vtf +@{image_ext} += [wW][eE][bB][pP] # webp +@{image_ext} += [wW][mM][fF] # wmf +@{image_ext} += [xX][bB][mM] # xbm +@{image_ext} += [xX][cC][fF] # xcf +@{image_ext} += [xX][iI][fF] # xif +@{image_ext} += [xX][pP][mM] # xpm +@{image_ext} += [xX][wW][dD] # xwd +@{image_ext} += [xX][yY][zZ][eE] # xyze + +# Models +@{model_ext} = [bB][aA][rR][yY] # bary +@{model_ext} += [bB][sS][pP] # bsp +@{model_ext} += [cC][lL][dD] # cld +@{model_ext} += [dD][aA][eE] # dae +@{model_ext} += [dD][oO][rR] # dor +@{model_ext} += [dD][wW][fF] # dwf +@{model_ext} += [gG][lL][bB] # glb +@{model_ext} += [gG][lL][dD] # gld +@{model_ext} += [gG][lL][tT][fF] # gltf +@{model_ext} += [gG][sS][mM] # gsm +@{model_ext} += [gG][tT][wW] # gtw +@{model_ext} += [iI][gG][eE][sS] # iges +@{model_ext} += [iI][gG][sS] # igs +@{model_ext} += [iI][sS][mM] # ism +@{model_ext} += [jJ][tT] # jt +@{model_ext} += [lL][mM][pP] # lmp +@{model_ext} += [mM][eE][sS][hH] # mesh +@{model_ext} += [mM][oO][mM][lL] # moml +@{model_ext} += [mM][sS][hH] # msh +@{model_ext} += [mM][sS][mM] # msm +@{model_ext} += [mM][tT][lL] # mtl +@{model_ext} += [mM][tT][sS] # mts +@{model_ext} += [oO][bB][jJ] # obj +@{model_ext} += [oO][gG][eE][xX] # ogex +@{model_ext} += [pP][yY][oO] # pyo +@{model_ext} += [pP][yY][oO][xX] # pyox +@{model_ext} += [rR][sS][mM] # rsm +@{model_ext} += [sS][iI][lL][oO] # silo +@{model_ext} += [sS][tT][lL] # stl +@{model_ext} += [sS][tT][pP][xX] # stpx +@{model_ext} += [sS][tT][pP][xX][zZ] # stpxz +@{model_ext} += [uU][sS][dD][aA] # usda +@{model_ext} += [uU][sS][dD][zZ] # usdz +@{model_ext} += [uU]3[dD] # u3d +@{model_ext} += [vV][dD][sS] # vds +@{model_ext} += [vV][rR][mM][lL] # vrml +@{model_ext} += [vV][tT][uU] # vtu +@{model_ext} += [wW][iI][nN] # win +@{model_ext} += [wW][rR][lL] # wrl +@{model_ext} += [xX]_[bB] # x_b +@{model_ext} += [xX]_[tT] # x_t +@{model_ext} += [xX][mM][tT]_[bB][iI][nN] # xmt_bin +@{model_ext} += [xX][mM][tT]_[tT][xX][tT] # xmt_txt +@{model_ext} += [xX]3[dD][bB] # x3db +@{model_ext} += [xX]3[dD][vV] # x3dv +@{model_ext} += [xX]3[dD][vV][zZ] # x3dvz + +# Fonts +@{font_ext} = [tT][tT][cC] # ttc +@{font_ext} += [tT][tT][fF] # ttf +@{font_ext} += [oO][tT][fF] # otf +@{font_ext} += [wW][oO][fF] # woff +@{font_ext} += [wW][oO][fF]2 # woff2 + +# Documents +@{document_ext} = [aA][dD][xX] # adx +@{document_ext} += [cC][dD][fF] # cdf +@{document_ext} += [dD][oO][cC] # doc +@{document_ext} += [dD][oO][cC][mM] # docm +@{document_ext} += [dD][oO][cC][xX] # docx +@{document_ext} += [dD][oO][tT] # dot +@{document_ext} += [dD][oO][tT][xX] # dotx +@{document_ext} += [fF][nN][iI] # fni +@{document_ext} += [fF][oO][dD][gG] # fodg +@{document_ext} += [fF][oO][dD][pP] # fodp +@{document_ext} += [fF][oO][dD][sS] # fods +@{document_ext} += [fF][oO][dD][tT] # fodt +@{document_ext} += [iI][nN][fF][oO] # info +@{document_ext} += [lL][aA][tT][eE][xX] # latex +@{document_ext} += [mM][dD][iI] # mdi +@{document_ext} += [oO][dD][bB] # odb +@{document_ext} += [oO][dD][cC] # odc +@{document_ext} += [oO][dD][fF] # odf +@{document_ext} += [oO][dD][gG] # odg +@{document_ext} += [oO][dD][iI] # odi +@{document_ext} += [oO][dD][mM] # odm +@{document_ext} += [oO][dD][pP] # odp +@{document_ext} += [oO][dD][sS] # ods +@{document_ext} += [oO][dD][tT] # odt +@{document_ext} += [oO][tT][cC] # otc +@{document_ext} += [oO][tT][fF] # otf +@{document_ext} += [oO][tT][gG] # otg +@{document_ext} += [oO][tT][hH] # oth +@{document_ext} += [oO][tT][iI] # oti +@{document_ext} += [oO][tT][pP] # otp +@{document_ext} += [oO][tT][sS] # ots +@{document_ext} += [oO][tT][tT] # ott +@{document_ext} += [oO][xX][tT] # oxt +@{document_ext} += [pP][aA][gG][eE][sS] # pages +@{document_ext} += [pP][dD][fF] # pdf +@{document_ext} += [pP][pP][tT][sS] # ppts +@{document_ext} += [pP][pP][tT][xX] # pptx +@{document_ext} += [sS][tT][cC] # stc +@{document_ext} += [sS][tT][dD] # std +@{document_ext} += [sS][tT][iI] # sti +@{document_ext} += [sS][tT][wW] # stw +@{document_ext} += [sS][xX][cC] # sxc +@{document_ext} += [sS][xX][dD] # sxd +@{document_ext} += [sS][xX][gG][sS][xX][iI] # sxgsxi +@{document_ext} += [sS][xX][mM] # sxm +@{document_ext} += [sS][xX][wW] # sxw +@{document_ext} += [tT][eE][xX] # tex +@{document_ext} += [tT][eE][xX][iI] # texi +@{document_ext} += [tT][eE][xX][iI][nN][fF][oO] # texinfo +@{document_ext} += [xX][lL][sS] # xls +@{document_ext} += [xX][lL][sS][bB] # xlsb +@{document_ext} += [xX][lL][sS][mM] # xlsm +@{document_ext} += [xX][lL][sS][xX] # xlsx +@{document_ext} += [xX][oO][dD][pP] # xodp +@{document_ext} += [xX][oO][dD][sS] # xods +@{document_ext} += [xX][oO][dD][tT] # xodt +@{document_ext} += [xX][oO][tT][pP] # xotp +@{document_ext} += [xX][oO][tT][sS] # xots +@{document_ext} += [xX][oO][tT][tT] # xott +@{document_ext} += [xX][pP][sS] # xps + +# Texts +@{text_ext} = [aA][pP][pP][cC][aA][cC][hH][eE] # appcache +@{text_ext} += [aA] # a +@{text_ext} += [aA][bB][cC] # abc +@{text_ext} += [aA][sS][cC] # asc +@{text_ext} += [aA][sS][cC][iI][iI] # ascii +@{text_ext} += [cC] # c +@{text_ext} += [cC][cC] # cc +@{text_ext} += [cC][cC][cC] # ccc +@{text_ext} += [cC][nN][dD] # cnd +@{text_ext} += [cC][oO][nN][fF] # conf +@{text_ext} += [cC][oO][pP][yY][rR][iI][gG][hH][tT] # copyright +@{text_ext} += [cC][qQ][lL] # cql +@{text_ext} += [cC][sS][sS] # css +@{text_ext} += [cC][sS][vV] # csv +@{text_ext} += [cC][sS][vV][sS] # csvs +@{text_ext} += [cC][xX][xX] # cxx +@{text_ext} += [dD][mM][sS] # dms +@{text_ext} += [dD][oO][tT] # dot +@{text_ext} += [dD][sS][cC] # dsc +@{text_ext} += [eE][lL] # el +@{text_ext} += [eE][nN][tT] # ent +@{text_ext} += [eE][tT][xX] # etx +@{text_ext} += [fF][lL][tT] # flt +@{text_ext} += [fF][lL][xX] # flx +@{text_ext} += [fF][lL][yY] # fly +@{text_ext} += [fF]90 # f90 +@{text_ext} += [gG][eE][dD] # ged +@{text_ext} += [gG][fF][fF]3 # gff3 +@{text_ext} += [gG][vV] # gv +@{text_ext} += [hH] # h +@{text_ext} += [hH][aA][nN][sS] # hans +@{text_ext} += [hH][gG][lL] # hgl +@{text_ext} += [hH][hH] # hh +@{text_ext} += [hH][tT][mM] # htm +@{text_ext} += [hH][tT][mM][lL] # html +@{text_ext} += [hH][xX][xX] # hxx +@{text_ext} += [iI][cC][sS] # ics +@{text_ext} += [iI][fF][bB] # ifb +@{text_ext} += [jJ][aA][dD] # jad +@{text_ext} += [jJ][sS] # js +@{text_ext} += [jJ][tT][dD] # jtd +@{text_ext} += [lL][oO][gG] # log +@{text_ext} += [mM][aA][nN][iI][fF][eE][sS][tT] # manifest +@{text_ext} += [mM][aA][rR][kK][dD][oO][wW][nN] # markdown +@{text_ext} += [mM][cC]2 # mc2 +@{text_ext} += [mM][dD] # md +@{text_ext} += [mM][iI][zZ] # miz +@{text_ext} += [mM][jJ][sS] # mjs +@{text_ext} += [mM][pP][fF] # mpf +@{text_ext} += [nN]3 # n3 +@{text_ext} += [pP][mM] # pm +@{text_ext} += [pP][oO][dD] # pod +@{text_ext} += [pP][rR][oO][vV][nN] # provn +@{text_ext} += [rR][nN][gG] # rng +@{text_ext} += [rR][oO][fF][fF] # roff +@{text_ext} += [rR][sS][tT] # rst +@{text_ext} += [rR][tT][xX] # rtx +@{text_ext} += [sS][aA][nN][dD][bB][oO][xX][eE][dD] # sandboxed +@{text_ext} += [sS][gG][mM] # sgm +@{text_ext} += [sS][gG][mM][lL] # sgml +@{text_ext} += [sS][hH][aA][cC][lL][cC] # shaclc +@{text_ext} += [sS][hH][cC] # shc +@{text_ext} += [sS][hH][eE][xX] # shex +@{text_ext} += [sS][iI] # si +@{text_ext} += [sS][lL] # sl +@{text_ext} += [sS][oO][aA] # soa +@{text_ext} += [sS][oO][sS] # sos +@{text_ext} += [sS][pP][dD][xX] # spdx +@{text_ext} += [sS][pP][oO] # spo +@{text_ext} += [sS][pP][oO][tT] # spot +@{text_ext} += [sS][uU][bB] # sub +@{text_ext} += [tT] # t +@{text_ext} += [tT][aA][gG] # tag +@{text_ext} += [tT][eE][xX][tT] # text +@{text_ext} += [tT][rR] # tr +@{text_ext} += [tT][sS] # ts +@{text_ext} += [tT][sS][vV] # tsv +@{text_ext} += [tT][tT][lL] # ttl +@{text_ext} += [tT][xX][tT] # txt +@{text_ext} += [uU][rR][iI] # uri +@{text_ext} += [uU][rR][iI][cC] # uric +@{text_ext} += [uU][rR][iI][sS] # uris +@{text_ext} += [vV][cC][aA][rR][dD] # vcard +@{text_ext} += [vV][cC][fF] # vcf +@{text_ext} += [vV][fF][kK] # vfk +@{text_ext} += [vV][tT][tT] # vtt +@{text_ext} += [wW][gG][sS][lL] # wgsl +@{text_ext} += [wW][mM][lL] # wml +@{text_ext} += [wW][mM][lL][sS] # wmls +@{text_ext} += [xX][mM][lL] # xml +@{text_ext} += [xX][sS][dD] # xsd +@{text_ext} += [zZ][oO][nN][eE] # zone +@{text_ext} += 3[dD][mM] # 3dm +@{text_ext} += 3[dD][mM][lL] # 3dml + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 69ca70ef7..83aec3ce3 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -13,6 +13,9 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} +# Python interpreters +@{python_path} = @{bin}/@{python_name} + # Browsers @{brave_path} = @{brave_lib_dirs}/@{brave_name} @{chrome_path} = @{opera_lib_dirs}/@{chrome_name} @@ -31,9 +34,15 @@ @{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} # Open -@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open -@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop -@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop +@{open_path} = @{bin}/@{open_names} +@{open_path} += @{lib}/gio-launch-desktop +@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + +# Editor +@{editor_path} = @{bin}/@{editor_names} + +# Pager +@{pager_path} = @{bin}/@{pager_names} # File explorers @{file_explorers_path} = @{bin}/@{file_explorers_names} diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index dd9386b09..a24cefc01 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Define some variables for some commonly used profile. They may be used in +# Define some variables for some commonly used profile. They may be used in # other profiles peer label. # All variables that refer to a profile name should be prefixed with `p_` diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index f72e56921..406336e49 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -15,15 +15,28 @@ # All interactive shells users may want to use @{shells} = sh zsh bash dash fish rbash ksh tcsh csh -# Coreutils programs that should not have dedicated profile +# Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils. @{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown -@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand +@{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link -@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt +@{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir -@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep +@{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep @{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true -@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes +@{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes + +# Python interpreters +@{python_version} = 3 3.[0-9] 3.1[0-9] +@{python_name} = python python@{python_version} + +# Open +@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop + +# Editor +@{editor_names} = sensible-editor vim{,.*} nvim nano + +# Pager +@{pager_names} = sensible-pager pager less more # Browsers @@ -48,9 +61,9 @@ @{torbrowser_name} = torbrowser "tor browser" @{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ -# Emails +# Emails -@{thunderbird_name} = thunderbird{,.sh,-bin} +@{thunderbird_name} = thunderbird{,-bin} @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} @{emails_names} = evolution geary @@ -59,7 +72,7 @@ @{file_explorers_names} = dolphin nautilus thunar # Text editors -@{text_editors_names} = code gedit mousepad gnome-text-editor +@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers @{document_viewers_names} = evince okular *{F,f}oliate YACReader diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f2e7c2563..0a95d1837 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,28 +2,53 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# To allow extended personalisation without breaking everything. -# All apparmor profiles should always use the variables defined here. +# Base variables +# -------------- -# Single hexadecimal character -@{h}=[0-9a-fA-F] +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] # Single alphanumeric character @{c}=[0-9a-zA-Z] -# Integer up to 10 digits (0-9999999999) -@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],} +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] -# hexadecimal, alphanumeric up to 64 characters +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} @{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} # Any x digits characters -@{int2}=[0-9][0-9] +@{int2}=@{d}@{d} @{int4}=@{int2}@{int2} @{int6}=@{int4}@{int2} @{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} @{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} @{int16}=@{int8}@{int8} @{int32}=@{int16}@{int16} @{int64}=@{int32}@{int32} @@ -35,6 +60,8 @@ @{hex8}=@{hex4}@{hex4} @{hex9}=@{hex8}@{h} @{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} @{hex16}=@{hex8}@{hex8} @{hex32}=@{hex16}@{hex16} @{hex38}=@{hex32}@{hex6} @@ -47,25 +74,28 @@ @{rand8}=@{rand4}@{rand4} @{rand9}=@{rand8}@{c} @{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} @{rand16}=@{rand8}@{rand8} @{rand32}=@{rand16}@{rand16} @{rand64}=@{rand64}@{rand64} -# Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} -# Username & group valid characters -@{u}=[a-zA-Z0-9_] -@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} -@{group}=@{user} -# Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} -@{pci}=@{pci_bus}/**/ - -# hci devices -@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} +# System Paths +# ------------ # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a @@ -82,11 +112,45 @@ # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ -# Udev data dynamic assignment ranges -@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 -@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 + +# System Variables +# ---------------- + +# Common architecture names +@{arch}=x86_64 amd64 i386 i686 + +# Dbus unique name +@{busname}=:1.@{u16} :not.active.yet + +# Universally unique identifier +@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} + +# Username & group valid characters +@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} +@{group}=@{user} + +# Semantic version +@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},} # OpenSUSE does not have the same multiarch structure @{multiarch}+=*-suse-linux* #aa:only opensuse + +# System Internal +# --------------- + +# Shortcut for PCI device +@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} +@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci}=@{pci_bus}/**/ + +# Udev data dynamic assignment ranges +@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 +@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 + +# Attachment path for attach_disconnected.path flag. +# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +@{att}=/ +alias // -> /, + # vim:syntax=apparmor diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 184e6d118..f7c484fd7 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -17,7 +17,7 @@ import ( const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. @@ -64,7 +64,7 @@ func aaLog(logger string, path string, profile string) error { return nil } - aaLogs := logs.NewApparmorLogs(file, profile) + aaLogs := logs.New(file, profile) if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 8fa7cce66..5f7dd6396 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -13,7 +13,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] @@ -76,10 +75,10 @@ func getIndentationLevel(input string) int { return level } -func parse(kind kind, profile string) ([]aa.Rules, []string, error) { +func parse(kind kind, profile string) (aa.ParaRules, []string, error) { var raw string paragraphs := []string{} - rulesByParagraph := []aa.Rules{} + rulesByParagraph := aa.ParaRules{} switch kind { case isTunable, isProfile: @@ -110,9 +109,6 @@ func formatFile(kind kind, profile string) (string, error) { return "", err } for idx, rules := range rulesByParagraph { - if err := rules.Validate(); err != nil { - return "", err - } aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) @@ -139,7 +135,7 @@ func aaFormat(files paths.PathList) error { if !file.Exist() { return nil } - profile, err := util.ReadFile(file) + profile, err := file.ReadFileAsString() if err != nil { return err } @@ -199,14 +195,18 @@ func main() { case format: files, err = pathsFromArgs() if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } err = aaFormat(files) + case tree: err = aaTree() + + default: + flag.Usage() } if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index c39d4cbbd..91f77e2e0 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,92 +5,68 @@ package main import ( - "flag" - "fmt" - "os" + "slices" - "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) -const usage = `prebuild [-h] [--full] [--complain | --enforce] - - Prebuild apparmor.d profiles for a given distribution and apply - internal built-in directives. - -Options: - -h, --help Show this help message and exit. - -f, --full Set AppArmor for full system policy. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - --abi4 Convert the profiles to Apparmor abi/4.0. - -` - -var ( - help bool - full bool - complain bool - enforce bool - abi4 bool -) - +// Cli arguments have priority over the settings entered here func init() { - flag.BoolVar(&help, "h", false, "Show this help message and exit.") - flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") - flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") - flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") - flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") - flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.BoolVar(&abi4, "abi4", false, "Convert the profiles to Apparmor abi/4.0.") -} + // Define the default ABI + prebuild.ABI = 4 -func aaPrebuild() error { - logging.Step("Building apparmor.d profiles for %s.", cfg.Distribution) + // Define the tasks applied by default + prepare.Register( + "synchronise", // Initialize a new clean apparmor.d build directory + "ignore", // Ignore profiles and files from dist/ignore + "merge", // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + "configure", // Set distribution specificities + "setflags", // Set flags as definied in dist/flags + "overwrite", // Overwrite dummy upstream profiles + "systemd-default", // Set systemd unit drop in files for dbus profiles + ) - if full { - prepare.Register("fsp") - builder.Register("fsp") - } else { - prepare.Register("systemd-early") + // Build tasks applied by default + builder.Register( + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + ) + + // Compatibility with AppArmor 3 + switch prebuild.Distribution { + case "arch": + prebuild.ABI = 3 + + case "ubuntu": + if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { + prebuild.ABI = 3 + } + + case "debian": + prebuild.ABI = 3 + + case "whonix": + prebuild.ABI = 3 + + // Hide rewrittem Whonix profiles + prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure + /etc/apparmor.d/home.tor-browser.firefox + /etc/apparmor.d/tunables/homsanitycheck + /etc/apparmor.d/usr.bin.url_e.d/anondist + /etc/apparmor.d/tunables/home.d/live-mode + /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist + /etc/apparmor.d/usr.bin.hexchat + /etc/apparmor.d/usr.bin.sdwdate + /etc/apparmor.d/usr.bin.systemcheck + /etc/apparmor.d/usr.bin.timeto_unixtime + /etc/apparmor.d/whonix-firewall + ` } - - if complain { - builder.Register("complain") - } else if enforce { - builder.Register("enforce") - } - - if abi4 { - builder.Register("abi3") - } - - if err := prebuild.Prepare(); err != nil { - return err - } - return prebuild.Build() } func main() { - flag.Usage = func() { - fmt.Printf("%s%s\n%s\n%s", usage, - cfg.Help("Prepare", prepare.Tasks), - cfg.Help("Build", builder.Builders), - cfg.Usage("Directives", directive.Directives), - ) - } - flag.Parse() - if help { - flag.Usage() - os.Exit(0) - } - if err := aaPrebuild(); err != nil { - logging.Fatal(err.Error()) - } + cli.Prebuild() } diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go index 8e80c3ab3..d3c28f025 100644 --- a/cmd/prebuild/main_test.go +++ b/cmd/prebuild/main_test.go @@ -9,9 +9,7 @@ import ( "os/exec" "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func chdirGitRoot() { @@ -26,64 +24,33 @@ func chdirGitRoot() { } } -func Test_AAPrebuild(t *testing.T) { +func Test_main(t *testing.T) { tests := []struct { - name string - wantErr bool - full bool - complain bool - dist string + name string + dist string }{ { - name: "Build for Archlinux", - wantErr: false, - full: false, - complain: true, - dist: "arch", + name: "Build for Archlinux", + dist: "arch", }, { - name: "Build for Ubuntu", - wantErr: false, - full: true, - complain: false, - dist: "ubuntu", + name: "Build for Ubuntu", + dist: "ubuntu", }, { - name: "Build for Debian", - wantErr: false, - full: true, - complain: false, - dist: "debian", + name: "Build for Debian", + dist: "debian", }, { - name: "Build for OpenSUSE Tumbleweed", - wantErr: false, - full: true, - complain: true, - dist: "opensuse", + name: "Build for OpenSUSE Tumbleweed", + dist: "opensuse", }, - // { - // name: "Build for Fedora", - // wantErr: true, - // full: false, - // complain: false, - // dist: "fedora", - // }, } chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - if tt.full { - prepare.Register("fsp") - builder.Register("fsp") - } - if tt.complain { - builder.Register("complain") - } - if err := aaPrebuild(); (err != nil) != tt.wantErr { - t.Errorf("aaPrebuild() error = %v, wantErr %v", err, tt.wantErr) - } + prebuild.Distribution = tt.dist + main() }) } } diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index b00b12eca..339d88036 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -51,4 +51,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %dir /usr/share/zsh/site-functions /usr/share/zsh/site-functions/_aa-log.zsh +%doc %{_mandir}/man8/aa-log.8.gz + %changelog diff --git a/dists/build.sh b/dists/build.sh index a566291bd..523bf8ca4 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -8,7 +8,7 @@ set -eu -o pipefail readonly COMMAND="$1" -readonly OUTPUT="${PKGDEST:-$PWD}" +readonly OUTPUT="$PWD/.pkg" readonly PKGNAME=apparmor.d VERSION="0.$(git rev-list --count HEAD)" readonly VERSION diff --git a/dists/docker.sh b/dists/docker.sh index 500918c5f..4dd958759 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -12,6 +12,8 @@ readonly PREFIX="builder-" readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp +readonly OUTDIR=".pkg" +readonly OUTPUT="$PWD/$OUTDIR" readonly COMMAND="$1" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" @@ -62,7 +64,7 @@ build_in_docker_makepkg() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg - mv "$VOLUME/$PKGNAME"-*.pkg.* . + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"-*.pkg.* "$OUTPUT" } build_in_docker_dpkg() { @@ -85,7 +87,7 @@ build_in_docker_dpkg() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg - mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* . + mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT" } build_in_docker_rpm() { @@ -104,14 +106,14 @@ build_in_docker_rpm() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm - mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm . + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-$VERSION-"*.rpm "$OUTPUT" } main() { case "$COMMAND" in archlinux) # build_in_docker_makepkg "$COMMAND" - PKGDEST=. makepkg -Cf + PKGDEST="$OUTPUT" makepkg -Cf ;; debian | ubuntu | whonix) @@ -128,4 +130,5 @@ main() { esac } +mkdir -p "$OUTPUT" main "$@" diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index b94fae2c2..8910bb280 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,15 +1,4 @@ -archlinux-keyring-wkd-sync complain +aurpublish complain makepkg complain mkinitcpio attach_disconnected,complain pacman attach_disconnected,complain -pacman-conf attach_disconnected,complain -pacman-hook-dconf complain -pacman-hook-depmod complain -pacman-hook-dkms attach_disconnected,complain -pacman-hook-fontconfig complain -pacman-hook-gio complain -pacman-hook-gtk complain -pacman-hook-mkinitcpio attach_disconnected,complain -pacman-hook-perl complain -pacman-hook-systemd attach_disconnected,complain -pacman-key complain diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index b659675b6..5e29c0153 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -1,3 +1,4 @@ +apt-helper complain dhclient complain dhclient-script complain dpkg complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 57862b8ce..ac4547850 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -9,8 +9,7 @@ systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-load complain -acpid attach_disconnected,complain +aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -28,14 +27,9 @@ akonadi_newmailnotifier_agent complain akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain -alacarte complain anacron complain -appimagelauncherd complain -apport attach_disconnected,complain -apt-helper complain at complain atd complain -atril-previewer complain auditctl attach_disconnected,complain auditd attach_disconnected,complain augenrules attach_disconnected,complain @@ -47,13 +41,11 @@ avahi-set-host-name complain baloo complain baloorunner complain busctl complain +calibre complain cc-remote-login-helper complain cctk complain child-modprobe-nvidia attach_disconnected,complain child-open attach_disconnected,complain -child-open-any attach_disconnected,complain -child-open-browsers attach_disconnected,complain -chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -64,7 +56,6 @@ cockpit-ssh complain cockpit-tls attach_disconnected,complain cockpit-ws complain cockpit-wsinstance-factory complain -ctop complain cups-backend-beh complain cups-backend-bluetooth complain cups-backend-brf complain @@ -87,12 +78,15 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +dino attach_disconnected,complain +discord complain +discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain +dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain -dpkg-genbuildinfo complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -104,6 +98,7 @@ evolution-user-prompter complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain +filezilla complain firewall-applet attach_disconnected,complain firewall-config complain firewalld attach_disconnected,complain @@ -115,14 +110,14 @@ flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -foliate attach_disconnected,complain -fractal attach_disconnected,complain +fstrim complain fuse-overlayfs complain fusermount complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain +gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain @@ -135,11 +130,9 @@ gnome-initial-setup complain gnome-music attach_disconnected,complain gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-session complain gnome-software complain gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain -gnome-text-editor complain gnome-tweaks complain grub-bios-setup complain grub-editenv complain @@ -182,7 +175,6 @@ hyprpm complain ibus-engine-table complain ibus-memconf attach_disconnected,complain im-launch complain -init-exim4 complain install-info complain iwctl complain iwd complain @@ -208,7 +200,6 @@ kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain -kmod attach_disconnected,complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -244,27 +235,19 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -netplan complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain nm-openvpn-service-openvpn-helper complain nm-priv-helper complain -nmap complain nmcli complain nvidia-detector complain nvidia-persistenced complain -nvidia-smi complain -okular complain ollama attach_disconnected,complain os-prober attach_disconnected,complain -package-data-downloader complain -packagekitd attach_disconnected,complain -pacman-hook-dkms complain pam_kwallet_init complain pam-tmpdir-helper complain -passim complain passimd attach_disconnected,complain pidof complain pkttyagent complain @@ -278,7 +261,6 @@ plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted qdbus complain -realmd complain remmina complain run-parts complain runuser complain @@ -287,6 +269,8 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain +signal-desktop attach_disconnected,complain +signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain @@ -301,6 +285,7 @@ snapd complain snapd-apparmor complain snapd-core-fixup complain snapshot complain +speech-dispatcher complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -315,23 +300,18 @@ steam-runtime attach_disconnected,complain steamerrorreporter attach_disconnected,complain strawberry attach_disconnected,mediate_deleted,complain sulogin complain -switcherooctl complain swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain systemd-analyze complain systemd-ask-password complain -systemd-battery-check complain systemd-binfmt attach_disconnected,complain -systemd-bsod complain systemd-cgls complain systemd-cgtop complain -systemd-coredump attach_disconnected,mediate_deleted,complain systemd-cryptsetup complain systemd-dissect attach_disconnected,complain systemd-escape complain -systemd-firstboot complain systemd-generator-bless-boot attach_disconnected,complain systemd-generator-cloud-init attach_disconnected,complain systemd-generator-cryptsetup attach_disconnected,complain @@ -355,7 +335,6 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-mount complain systemd-network-generator complain -systemd-pcrphase complain systemd-portabled complain systemd-remount-fs complain systemd-resolve complain @@ -366,15 +345,18 @@ systemd-udevd attach_disconnected,complain systemd-user-sessions complain systemd-userwork attach_disconnected,complain systemsettings complain +telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain +ufw complain update-grub complain update-secureboot-policy complain userdbctl complain utempter attach_disconnected,complain +veracrypt complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index c491729dc..a6d6bcc85 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,15 +1,18 @@ +apport attach_disconnected,complain apport-checkreports complain apport-gtk complain apt-esm-hook complain apt-esm-json-hook complain +apt-helper complain check-new-release-gtk complain do-release-upgrade complain +dpkg-genbuildinfo complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain notify-reboot-required complain +package-data-downloader complain package-system-locked attach_disconnected,complain -pro complain release-upgrade-motd complain software-properties-gtk complain ubuntu-advantage complain diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags index bbb744355..dc984d690 100644 --- a/dists/flags/whonix.flags +++ b/dists/flags/whonix.flags @@ -1,4 +1,6 @@ anondate complain +apt-helper complain +dpkg-genbuildinfo complain msgcollector complain msgcollector-br-add complain msgcollector-generic-gui-message complain @@ -28,8 +30,10 @@ torbrowser-plugin-container complain torbrowser-start complain torbrowser-updater complain torbrowser-updater-permission-fix complain +torbrowser-updater-permission-fix complain torbrowser-vaapitest complain torbrowser-wrapper complain +torbrowser-wrapper complain whonix-firewall-edit complain whonix-firewall-restarter complain whonix-firewalld complain diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 9843d249a..bfd8998ae 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # Ubuntu specific definition apparmor.d/groups/ubuntu diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index fe61aaf2f..917b117f1 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -5,11 +5,6 @@ # when built with 'make full' apparmor.d/groups/_full -# Apps that should be sandboxed -apparmor.d/groups/apps -code -code-wrapper - # Provided by other packages man diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore index 0d393c6c1..7f79b77ef 100644 --- a/dists/ignore/opensuse.ignore +++ b/dists/ignore/opensuse.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # Debian specific definition apparmor.d/groups/apt diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 714fa3273..eb0df718f 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,7 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/etc/xdg/autostart/apparmor-notify.desktop -root/usr/share/libalpm +share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore index 5370a0f95..959f8ce6e 100644 --- a/dists/ignore/whonix.ignore +++ b/dists/ignore/whonix.ignore @@ -1,6 +1,6 @@ # Archlinux specific definition apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/overwrite b/dists/overwrite index bea6d574b..767c07312 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -5,6 +5,7 @@ brave chrome +chromium element-desktop epiphany firefox @@ -15,8 +16,10 @@ msedge nautilus opera plasmashell +signal-desktop slirp4netns systemd-coredump thunderbird +transmission unix-chkpwd virtiofsd diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash index aab16b92c..d9ad01221 100644 --- a/dists/ubuntu/abstractions/trash +++ b/dists/ubuntu/abstractions/trash @@ -1,4 +1,4 @@ -abi , +abi , # requires diff --git a/docs/abbreviations.md b/docs/abbreviations.md new file mode 100644 index 000000000..32f567afe --- /dev/null +++ b/docs/abbreviations.md @@ -0,0 +1,5 @@ + +*[MAC]: Mandatory Access Control +*[W^X]: Write XOR Execute +*[FSP]: Full System Policy +*[AppArmor tunables]: AppArmor global variables diff --git a/docs/assets/stylesheets/extra.css b/docs/assets/stylesheets/extra.css index 3b0fc1db6..8691707db 100644 --- a/docs/assets/stylesheets/extra.css +++ b/docs/assets/stylesheets/extra.css @@ -4,9 +4,58 @@ --md-footer-fg-color--lighter: #b6b6b6; --md-footer-bg-color: transparent; --md-footer-bg-color--dark: transparent; + --pg-purple: #603aa0; + --pg-red: #c0322f; + --pg-orange: #ac2f09; + --pg-teal: #04756a; + --pg-brown: #8d6e62; + --pg-blue: #0e66ae; + --pg-green: #2e7e31; + --pg-blue-gray: #546d78; } [data-md-color-scheme=slate] { --md-footer-bg-color: transparent; --md-footer-bg-color--dark: var(--md-default-bg-color--darkest); -} \ No newline at end of file + --pg-purple: #af94de; + --pg-red: #ff6c6a; + --pg-orange: #e97b5a; + --pg-teal: #8dc6c1; + --pg-brown: #4b1d0b; + --pg-blue: #74b9f1; + --pg-green: #72cd75; + --pg-blue-gray: #9ab2bc; +} + +/* Badge colors */ +.pg-purple { + color: var(--pg-purple); +} + +.pg-red { + color: var(--pg-red); +} + +.pg-orange { + color: var(--pg-orange); +} + +.pg-teal { + color: var(--pg-teal); +} + +.pg-brown { + color: var(--pg-brown); +} + +.pg-blue { + color: var(--pg-blue); +} + +.pg-green { + color: var(--pg-green); +} + +.pg-blue-gray { + color: var(--pg-blue-gray); +} diff --git a/docs/configuration.md b/docs/configuration.md index e784dcb82..e3fbba5ea 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -2,107 +2,206 @@ title: Configuration --- -## AppArmor - -As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`. - -```sh -echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf -echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf -``` - -!!! info - - See [Speed up AppArmor Start] on the Arch Wiki for more information: - [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles - - -## Personal directories +This project is designed in such a way that it is easy to personalize it to fit any system. +It is mostly done by setting personalized XDG like directories in AppArmor tunables. More advanced configuration can be done by adding your own rules in local profile addition. !!! danger - You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. + You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. -This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables. + This part is vital to ensure that the profiles are correctly configured for your system. It will lead to breakage if not done correctly. -The profiles heavily use the (largely extended) XDG directory variables defined in the **[Variables Reference](variables.md)** page. -??? note "XDG variables overview" +## Personalize Apparmor - See **[Variables Reference](variables.md)** page for more. +### Tunables - | Description | Name | Value | - |-------------|:----:|---------| - | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | - | Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | - | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | - | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | - | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | - | Music | `@{XDG_MUSIC_DIR}` | `Music` | - | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | - | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | - | Books | `@{XDG_BOOKS_DIR}` | `Books` | - | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | - | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | - | Sync | `@{XDG_SYNC_DIR}` | `Sync` | - | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | - | Vm | `@{XDG_VM_DIR}` | `.vm` - | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +The profiles heavily use the **largely extended** [XDG directory variables](#xdg-variables). All the variables are list you can append with your own values. -You can personalize these values. +1. First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: + ```sh + sudo mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d + ``` +2. Then create a `local` addition file in it where you define your own personal directories. *Example:* + ```sh + @{XDG_VIDEOS_DIR}+="Films" + @{XDG_MUSIC_DIR}+="Musique" + @{XDG_PICTURES_DIR}+="Images" + @{XDG_BOOKS_DIR}+="BD" "Comics" + @{XDG_PROJECTS_DIR}+="Git" "Papers" + ``` +3. Then restart the AppArmor service to reload the profiles in the kernel: + ```sh + sudo systemctl restart apparmor.service + ``` -First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: -``` -sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d -``` -Then create a `local` addition file in it where you define your own personal -directories. Example: -```sh -@{XDG_VIDEOS_DIR}+="Films" -@{XDG_MUSIC_DIR}+="Musique" -@{XDG_PICTURES_DIR}+="Images" -@{XDG_BOOKS_DIR}+="BD" "Comics" -@{XDG_PROJECTS_DIR}+="Git" "Papers" -``` +### Profile Additions -Then restart the AppArmor service to reload the profiles in the kernel: -```sh -sudo systemctl restart apparmor.service -``` +You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of the profile you want to personalize. -**Examples** +**Example** + +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: + +1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: + ```sh + /** r, + ``` + You call also restrict this to specific directories: + ```sh + /etc/** r, + /srv/** r, + /var/** r, + ``` +2. Then restart the AppArmor service to reload the profiles in the kernel: + ```sh + sudo systemctl restart apparmor.service + ``` + +### XDG variables + +Please ensure that all personal directories you are using are well-defined XDG directory defined below. If not, personalize the [variables](#tunables) to your own settings. + +??? quote "**User directories**" + +
+ + | Description | Name | Default Value(s) | + |-------------|------|---------------| + | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | + | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | + | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | + | Music | `@{XDG_MUSIC_DIR}` | `Music` | + | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | + | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | + | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | + | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | + | Books | `@{XDG_BOOKS_DIR}` | `Books` | + | Games | `@{XDG_GAMES_DIR}` | `.games` | + | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | + | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | + | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | + | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | + | Work | `@{XDG_WORK_DIR}` | `Work` | + | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | + | Sync | `@{XDG_SYNC_DIR}` | `Sync` | + | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | + | Vm | `@{XDG_VM_DIR}` | `.vm` | + | Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | + | Disk images | `@{XDG_IMG_DIR}` | `images` | + | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | + +
+ +??? quote "**Dotfiles**" + +
+ + | Description | Name | Default Value(s) | + |-------------|------|------------------| + | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | + | Config | `@{XDG_CONFIG_DIR}` | `.config` | + | Data | `@{XDG_DATA_DIR}` | `.local/share` | + | State | `@{XDG_STATE_DIR}` | `.local/state` | + | Bin | `@{XDG_BIN_DIR}` | `.local/bin` | + | Lib | `@{XDG_LIB_DIR}` | `.local/lib` | + | GPG | `@{XDG_GPG_DIR}` | `.gnupg` | + | SSH | `@{XDG_SSH_DIR}` | `.ssh` | + | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | + | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | + +
+ +??? quote "**Full configuration path**" + +
+ + | Description | Name | Default Value(s) | + |-------------|:----:|---------------| + | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | + | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | + | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | + | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | + | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | + | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | + | Build | `@{user_build_dirs}` | `/tmp/build/` | + | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | + +
+ +??? quote "**Full user path**" + +
+ + | Description | Name | Default Value(s) | + |-------------|:----:|---------------| + | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | + | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | + | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | + | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` | + | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | + | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | + | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | + | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | + | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | + | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | + | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | + | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` | + | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | + | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | + | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | + | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | + | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | + +
+ +System variables can also be personalized, they are defined in the **[Variables Reference](variables.md)** page. + + +## Program Personalization + +### Examples + +All profiles use the variables defined above. Therefore, you can personalize them by setting your own values in `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`. - For git support, you may want to add your `GO_PATH` in the `XDG_PROJECTS_DIR`: ```sh @{XDG_PROJECTS_DIR}+="go" ``` + - If you use Keepass, personalize `XDG_PASSWORD_STORE_DIR` with your password directory. Eg: ```sh @{XDG_PASSWORD_STORE_DIR}+="@{HOME}/.keepass/" ``` + - Add pacman integration with your AUR helper. Eg for `yay`: ```sh @{user_pkg_dirs}+=@{user_cache_dirs}/yay/ ``` -## Local profile extensions +### Mount points -You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of your profile. For example, to extend the `foo` profile, create a file `/etc/apparmor.d/local/foo` and add your rules in it. +Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable. **Example** -- `child-open`, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file `/etc/apparmor.d/local/child-open` with: - ```sh - @{bin}/firefox rPx, - ``` +If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: +```sh +@{MOUNT}+=/ssd/ +``` -!!! note + -!!! info +### File browsers - `rPx` allows transition to the Firefox profile. Use `rPUx` to allow transition to an unconfined state if you do not have the profile for a given program. +All supported file browsers (`nautilus`, `dolphin`, `thunar`) are configured to only access user files. If you want to allow access to system files, you can create a local profile addition file for the file browser you are using. +### Games -Then, reload the AppArmor rules with `sudo systemctl restart AppArmor`. +In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may need to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`. + +The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive, you should personalize `@{user_games_dirs}` instead. diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 82c7f4b04..9390945f8 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -43,9 +43,67 @@ A full set of rules for all chromium based browsers. It works as a *function* an If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron) instead. +### **`app/firefox`** + +Similar to `app/chromium` but for Firefox based browsers (and thunderbird). It requires the same *arguments* as `app/chromium`: + + +## Context helper + +These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. + +### **`app/editor`** + +A minimal set of rules for profiles including terminal editor. It is intended to be used in profiles or sub-profiles that need to edit file using the user editor of choice. The following editors are supported: + +- neo vim +- vim +- nano + +```sh + @{editor_path} rCx -> editor, + + profile editor { + include + include + + include if exists _editor> + } +``` + +### **`app/kmod`** + +A minimal set of rules for profiles that need to load kernel modules. It is intended to be used in profiles or sub-profiles that need to load kernel modules for a very specific action: + +```sh + @{bin}/modprobe rCx -> kmod, + + profile kmod { + include + include + + include if exists _kmod> + } +``` + +### **`app/open`** + +Set of rules for `child-open-*` profiles. It should usually not be used directly in a profile. ### **`app/pgrep`** + Minimal set of rules for pgrep/pkill. It is intended to be used in profiles or sub-profiles that need to use `pgrep` or `pkill` for a very specific action: + + ```sh + @{bin}/pgrep rCx -> pgrep, + + profile pgrep { + include + include + + include if exists _pgrep> + } + ``` ### **`app/sudo`** @@ -61,9 +119,26 @@ A minimal set of rules for profiles including internal `sudo`. Interactive sudo } ``` + +### **`app/pkexec`** + +A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`, it should be used in profiles or sub-profiles that need to elevate their privileges using `pkexec` for a very specific action: + +```sh + @{bin}/pkexec rCx -> pkexec, + + profile pkexec { + include + include + + include if exists _pkexec> + } +``` + ### **`app/systemctl`** -An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: +An alternative solution for [child-systemctl](internal.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: + ```sh @{bin}/systemctl rCx -> systemctl, @@ -75,6 +150,20 @@ An alternative solution for [child-systemctl](structure.md#children-profiles), w } ``` +### **`app/udevadm`** + +A minimal set of rules for profiles including internal `udevadm` as read-only. It is intended to be used in profiles or sub-profiles that need to use `udevadm` for a very specific action: + +```sh + @{bin}/udevadm rCx -> udevadm, + + profile udevadm { + include + include + + include if exists _udevadm> + } +``` ## Common Dependencies @@ -122,6 +211,15 @@ A minimal set of rules for all electron based UI applications. It works as a *fu @{cache_dirs} = @{user_cache_dirs}/@{name} ``` +### **`common/game`** + +Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. + +This abstraction uses the following tunables: + +- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) +- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir) + ### **`common/systemd`** Common set of rules for internal systemd suite. @@ -198,6 +296,9 @@ Common rules for interactive shell using bash. Common rules for interactive shell using zsh. +### **`fish`** + +Common rules for interactive shell using fish. ## System @@ -213,6 +314,10 @@ Use this abstraction instead of upstream `abstractions/nameservice` as upstream Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. +### **`app-launcher-root`** + +### **`app-launcher-user`** + ## Devices diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 98b46501c..e4133e5d1 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -26,6 +26,11 @@ Access to common dbus interfaces is done using the abstractions under **[`abstra For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive. +There is a trade of between security and maintenance to make: + +- `aa:dbus talk` will generate less issue as it gives full talk access +- `abstractions/bus/*` will provide more restriction, and possibly more issue. In the future, these rules will be automatically generated from the interface documentation. + ## Dbus Directive We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule. diff --git a/docs/development/directives.md b/docs/development/directives.md index 9cff8840e..53c7e7dcd 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -40,6 +40,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul - A supported target distribution: `arch`, `debian`, `ubuntu`, `opensuse`, `whonix`. - A supported distribution family: `apt`, `pacman`, `zypper`. + - A supported ABI: `abi3`, `abi4`. **Example** @@ -63,7 +64,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul ## Exec -The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directives parse and resolve the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. +The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directive parses and resolves the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. **Format** @@ -103,7 +104,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho ## Stack -[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always include the stacked profile rules. This directive automatically include the stacked profile rules into the parent profile. +[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always including access from the *child* profile. In most profile using stacking, the *child* profile is often naturally included in the *parent*. However, sometime the child profile is fully different. This directive automatically include the stacked profile rules into the parent profile. **Format** @@ -115,6 +116,9 @@ The `exec` directive is useful to allow executing transitions to a profile witho : List a profile **files** to stack at the end of the current profile. +**`[X]`** + +: If `X` is set, the directive will conserve the `x` file rules regardless of the transition. It is not enabled by default as it may conflict with the parent profile. Indeed, automatically adding `Px` and `ix` transition in a profile is a very effective way to have conflict between transitions as you can automatically add rule already present in the profile but with another transition (you would then get the AppArmor error: `profile has merged rule with conflicting x modifiers`). **Example** @@ -143,7 +147,6 @@ The `exec` directive is useful to allow executing transitions to a profile witho @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/notify rw, - owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index b359576aa..f207e58a2 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -11,7 +11,7 @@ The logic behind it is that if a rule is present in a profile, it should only be For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: * A profile has access to a given resource -* A profile enforces a strict [write xor execute] (W^X) policy. +* A profile enforces a strict [write xor execute](https://en.wikipedia.org/wiki/W%5EX) (W^X) policy. It also improves compatibilities and makes personalization easier thanks to the use of more variables. @@ -78,7 +78,7 @@ The file block should be sorted as follows: The dbus block should be sorted as follows: - The system bus should be sorted *before* the session bus -- The bind rules should be sorted *after* the send & receive rules +- The bind rules should be sorted *after* send & receive rules For DBus, try to determine peer's label when possible. E.g.: ``` @@ -115,14 +115,20 @@ If there is no predictable label it can be omitted. /var/lib/dbus/machine-id r, ``` +#### :material-numeric-5-circle: Limit the use of `deny` -## Additional recommended documentation +: The use of `deny` should be limited to the minimum: -* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) -* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) -* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html -* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) -* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) -* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) + - In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control")) + - `deny` rules are enforced even in complain mode, + - If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")). + +#### :material-numeric-6-circle: Comments + +: Ensure you only have useful comments. E.g.: + ``` + # Config files for foo + owner @{user_config_dirs}/foo/{,**} r, + ``` + Does not help, and if generalized it would add a lot of complexity to any profiles. -[write xor execute]: https://en.wikipedia.org/wiki/W%5EX diff --git a/docs/development/index.md b/docs/development/index.md index c12226a7a..f44d86aee 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -4,31 +4,38 @@ title: Development If you're looking to contribute to `apparmor.d` you can get started by going to the project [GitHub repository](https://github.com/roddhjav/apparmor.d/)! All contributions are welcome no matter how small. In this page you will find all the useful information needed to contribute to the apparmor.d project. -??? info "How to contribute pull requests" +??? info "How to contribute pull requests?" 1. If you don't have git on your machine, [install it](https://help.github.com/articles/set-up-git/). - 2. Fork this repo by clicking on the fork button on the top of the [project GitHub][project] page. - 3. Clone the forked repository and go to the directory: + 1. Fork this repo by clicking on the fork button on the top of the [project GitHub](https://github.com/roddhjav/apparmor.d) page. + 1. [Generate a new SSH key]( https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) and add it to your GitHub account. + 1. Clone the forked repository and go to the directory: ```sh - git clone https://github.com/your-github-username/apparmor.d.git + git clone git@github.com:your-github-username/apparmor.d.git cd apparmor.d ``` - 4. Create a branch: + 1. Create a branch: ``` git checkout -b my_contribution ``` - 5. Make the changes and commit: + 1. Make the changes and commit: ``` git add git commit -m "A message to sum up my contribution" ``` - 6. Push changes to GitHub: + 1. Push changes to GitHub: ``` git push origin my_contribution ``` - 7. Submit your changes for review: If you go to your repository on GitHub, + 1. Submit your changes for review: If you go to your repository on GitHub, you'll see a Compare & pull request button, fill and submit the pull request. +
+ +- :material-arrow-right:   **[See the workflow to write profiles](workflow.md)** + +
+ ## Project rules @@ -55,48 +62,11 @@ If you're looking to contribute to `apparmor.d` you can get started by going to your devices or for your use case. -## Add a profile +## Recommended documentation -!!! danger "Warning" - - Following the [profile guidelines](guidelines.md) is **mandatory** for all new profiles. - - -1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`][profiles-a-f]. - If your profile is part of a large group of profiles, it can also go in - [`apparmor.d/groups`][groups]. - -2. Write the profile content, the rules depend on the confined program, - Here is the bare minimum for the program `foo`: -``` sh -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 You -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/foo -profile foo @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor -``` - - -3. You can automatically set the `complain` flag on your profile by editing the file [`dists/flags/main.flags`][flags] and add a new line with: `foo complain` - -4. Build & install for your distribution. - - -[project]: https://github.com/roddhjav/apparmor.d - -[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags -[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f -[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups +* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) +* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) +* [SUSE Documentation](https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html) +* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) +* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) +* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) diff --git a/docs/development/install.md b/docs/development/install.md deleted file mode 100644 index 74271c13c..000000000 --- a/docs/development/install.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Installation ---- - -## Development Install - -!!! warning - - Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. You have been warned! - - See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`. - - -**:material-docker: Docker** - -For any system with docker installed you can simply build the package with: -```sh -make package dist= -``` -Then you can install the package with `dpkg`, `pacman` or `rpm`. - -**:material-arch: Arch Linux** -```sh -make pkg -``` - -**:material-ubuntu: Ubuntu & :material-debian: Debian** -```sh -make dpkg -``` - -**:simple-suse: openSUSE** -```sh -make rpm -``` - - -## Profile flags - -Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. - -For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: -```sh -adb complain -``` - -Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: -```sh -gnome-shell attach_disconnected,mediate_deleted,complain -``` - - -## Ignore profiles - -It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/development/integration.md b/docs/development/integration.md index f829fb69f..1e5878aa0 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -74,7 +74,7 @@ All the images come pre-configured with the latest version of `apparmor.d` insta **Usage** -On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. ## Tests @@ -118,7 +118,7 @@ Start the tests and collect the results **Tests manifest** -A basic set of test is generated on initialisation. More tests can be manually written in yaml file. They must have the following structure: +A basic set of test is generated on initialization. More tests can be manually written in yaml file. They must have the following structure: ```yaml - name: acpi diff --git a/docs/development/internal.md b/docs/development/internal.md new file mode 100644 index 000000000..459f1ad71 --- /dev/null +++ b/docs/development/internal.md @@ -0,0 +1,218 @@ +--- +title: Internal +--- + +## Profile Context + +These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. + +See [abstractions/app](abstractions.md#context-helper) for more information. + + +## Open Resources + +The standard way to allow opening resources such as URL, pictures, video, in this project is to use one of the `child-open` profile available in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. + +**Example:** +```sh +@{open_path} rPx -> child-open, +``` + + +### Manual + +Directly using any of the following: + +- `@{bin}/* PUx,` +- `include ` +- `include ` + +Allow every installed program to be started from the current program with or without profile. This is a very permissive rule and should be avoided if possible. They are however legitimately needed for program launcher. + +### **`child-open`** + +Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. + +??? quote "[children/child-open](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open)" + + ``` aa + # Sandbox managers + @{bin}/bwrap rPUx, + @{bin}/firejail rPUx, + @{bin}/flatpak rPx, + @{bin}/snap rPx, + + # Labelled programs + @{archive_viewers_path} rPUx, + @{browsers_path} rPx, + @{document_viewers_path} rPUx, + @{emails_path} rPUx, + @{file_explorers_path} rPx, + @{help_path} rPx, + @{image_viewers_path} rPUx, + @{offices_path} rPUx, + @{text_editors_path} rPUx, + + # Others + @{bin}/blueman-tray rPx, + @{bin}/discord{,-ptb} rPx, + @{bin}/draw.io rPUx, + @{bin}/dropbox rPx, + @{bin}/element-desktop rPx, + @{bin}/extension-manager rPx, + @{bin}/filezilla rPx, + @{bin}/flameshot rPx, + @{bin}/gimp* rPUx, + @{bin}/gnome-calculator rPUx, + @{bin}/gnome-disk-image-mounter rPx, + @{bin}/gnome-disks rPx, + @{bin}/gnome-software rPx, + @{bin}/gwenview rPUx, + @{bin}/kgx rPx, + @{bin}/qbittorrent rPx, + @{bin}/qpdfview rPx, + @{bin}/smplayer rPx, + @{bin}/steam-runtime rPUx, + @{bin}/telegram-desktop rPx, + @{bin}/transmission-gtk rPx, + @{bin}/viewnior rPUx, + @{bin}/vlc rPUx, + @{bin}/xbrlapi rPx, + + # Backup + @{lib}/deja-dup/deja-dup-monitor rPx, + ``` + +### **`child-open-browsers`** + + This version of child-open only allow to open browsers. + +??? quote "[children/child-open-browsers](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-browsers)" + + ``` aa + @{browsers_path} rPx, + ``` + +### **`child-open-help`** + +This version of child-open only allow to open browsers and help programs. + +??? quote "[children/child-open-help](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-help)" + + ``` aa + @{browsers_path} rPx, + @{help_path} rPx, + ``` + +### **`child-open-strict`** + +This version of child-open only allow to open browsers & folders: + +??? quote "[children/child-open-strict](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-strict)" + + ``` aa + @{browsers_path} Px, + @{file_explorers_path} Px, + ``` + + +!!! warning + + Although needed to not break a program, wrongly used these profiles can lead to confinment escape. + + +## Children profiles + +Usually, a child profile is in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. They have the following note: + +!!! quote + + Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. + + + +### **`child-modprove-nvidia`** + +Used internally by the `nvidia` abstraction. + +### **`child-pager`** + +Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. Supported pagers are: `sensible-pager`, `pager`, `less`, and `more`. +It can be as follows in a profile: +``` + @{pager_path} rPx -> child-pager, +``` + +### **`child-systemctl`** + +Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. + +It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) everything that is not generic and that may require some access (so restart, enable...), while `child-systemctl` can handle the more basic tasks. + + +## Labelled programs + +All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and +[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path. + +## Re-attached path + +The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). +It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs. + +AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0. + +**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be: + +- `@{att}=/att/` for profile with `attach_disconnect` flag. +- `@{att}=/` for other profiles + + +## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)") + +!!! warning "TODO" + + +## No New Privileges + +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). + +The possible solutions are: + +* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). +* Inherit the current confinement (`ix`) +* [Stacking](#stacking) + +## Stacking + +[Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) of two or more profile is the strict intersection them. It is a way to ensure that a profile never becomes more permissive than the intersection of all profiles in the stack. It provides several abilities to the policy author: + +- It can be used to ensure that confinement never becomes more permissive. +- To reduce the permissions of a generic profile on a specific task. +- To provide both system level and container and user level policy (when combined with policy namespaces). + +!!! note "" + + [apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/b51576139b3ed3125aaa3ea4d737a77baac0f00e/apparmor.d/groups/browsers/chromium#L25) + ``` aa linenums="23" + profile chromium @{exec_path} { + ... + @{lib_dirs}/chrome_crashpad_handler rPx -> chromium//&chromium-crashpad-handler, + ... + } + ``` + +## Udev rules + +See the **[kernel docs](https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt)** to check the major block and char numbers used in `/run/udev/data/`. + +Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: + +!!! note "" + + [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) + ``` aa linenums="179" + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + ``` diff --git a/docs/development/recommendations.md b/docs/development/recommendations.md new file mode 100644 index 000000000..bbe41bc4e --- /dev/null +++ b/docs/development/recommendations.md @@ -0,0 +1,78 @@ +--- +title: Recommendations +--- + +## Renaming of profiles + +For security reason, once loaded into the kernel, a profile cannot get fully removed. Therefore, by renaming a profile, you create a second profile with the same attachment. AppArmor will not be able to determine witch one to use leading to breakage. + +A reboot is required to fully remove the profile from the kernel. + + +## Programs to not confine + +Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. + +These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre. + +It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: +```sh + /etc/{,**} rw, +``` + +However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: + +1. How do we know the exhaustive list of *sensitive files* in `/etc`? +2. How do we ensure access to these sensitive files is not required? +3. This breaks the principle of mandatory access control. + See the [first rule of this project](index.md#project-rules) which is to only allow + what is required. Here we allow everything and blacklist some paths. + +It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: + +* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: + +!!! note "" + + [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) + ``` aa linenums="123" + profile diff { + include + include + + @{bin}/ r, + @{bin}/pager mr, + @{bin}/less mr, + @{bin}/more mr, + @{bin}/diff mr, + + owner @{HOME}/.lesshs* rw, + + # Diff changed config files + /etc/** r, + + # For shell pwd + /root/ r, + + } + ``` + +* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: + +!!! note "" + + [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 + ) + ``` aa linenums="20" + @{bin}/diff rix, + ``` + +**What if I still want to protect these programs?** + +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. + +!!! example "To sum up" + + 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` + 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` + 3. Use [Toolbox](https://containertoolbx.org/) diff --git a/docs/development/structure.md b/docs/development/structure.md deleted file mode 100644 index 0035b6c90..000000000 --- a/docs/development/structure.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: Structure ---- - -Description of common structure found across various AppArmor profiles - - -## Programs to not confine - -Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. - -These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theater. - -It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: -```sh - /etc/{,**} rw, -``` - -However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: - -1. How do we know the exhaustive list of *sensitive files* in `/etc`? -2. How do we ensure access to these sensitive files is not required? -3. This breaks the principle of mandatory access control. - See the [first rule of this project](index.md#project-rules) which is to only allow - what is required. Here we allow everything and blacklist some paths. - -It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: - -* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: - -!!! note "" - - [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) - ``` aa linenums="123" - profile diff { - include - include - - @{bin}/ r, - @{bin}/pager mr, - @{bin}/less mr, - @{bin}/more mr, - @{bin}/diff mr, - - owner @{HOME}/.lesshs* rw, - - # Diff changed config files - /etc/** r, - - # For shell pwd - /root/ r, - - } - ``` - -* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: - -!!! note "" - - [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 - ) - ``` aa linenums="20" - @{bin}/diff rix, - ``` - -**What if I still want to protect these programs?** - -You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. - -!!! example "To sum up" - - 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` - 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` - 3. Use [Toolbox]. - -[Toolbox]: https://containertoolbx.org/ - - - -## Abstractions - -This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used. - -For instance, to allow download directory access, instead of writing: -```sh -owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, -``` - -You should write: -```sh -include -``` - - -## Children profiles - -Usually, a child profile is in the [`children`][children] group. They have the following note: - -!!! quote - - Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. - -[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children - -Here is an overview of the current children profile: - -1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. - -2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. - -3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. - - -## Browsers - -Chromium based browsers share a similar structure. Therefore, they share the same abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content. - -This abstraction requires the following variables defined in the profile header: -```sh -@{name} = chromium -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/chromium -@{config_dirs} = @{user_config_dirs}/chromium -@{cache_dirs} = @{user_cache_dirs}/chromium -``` - -If your application requires chromium to run (like electron) use [`abstractions/chromium-common`][chromium-common] instead. - -[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium -[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common - -## Udev rules - -See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`. - -Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: - -!!! note "" - - [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) - ``` aa linenums="179" - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - ``` - -[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - - -## No New Privileges - -[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). - -The possible solutions are: - -* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). -* Inherit the current confinement (`ix`) -* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) diff --git a/docs/development/workflow.md b/docs/development/workflow.md new file mode 100644 index 000000000..a1631e3d8 --- /dev/null +++ b/docs/development/workflow.md @@ -0,0 +1,195 @@ +--- +title: Workflow +--- + +**Workflow to write profiles** + +
+ +- :material-file-document:   **[Write a blanck profile](#add-a-blank-profile)** + +
+
+ +- :material-download:   **[Install the profile](#individual-profile)** + +
+
+ +- :material-test-tube:   **[Profile the program](#program-profiling)** + +
+
+ +- :octicons-law-16:   **[Respect the profile guidelines](guidelines.md)** + +
+ + +## Add a blank profile + +1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f). + If your profile is part of a large group of profiles, it can also go in + [`apparmor.d/groups`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups). + +2. Write the profile content, the rules depend on the confined program, + Here is the bare minimum for the program `foo`: +``` sh +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 You +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/foo +profile foo @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor +``` + +## Development Install + +It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). + +Instead, install an individual profile or the development package, the following way. + +### Development package + +=== ":material-arch: Archlinux" + + ```sh + make pkg + ``` + +=== ":material-ubuntu: Ubuntu" + + ```sh + make dpkg + ``` + +=== ":material-debian: Debian" + + ```sh + make dpkg + ``` + +=== ":simple-suse: openSUSE" + + ```sh + make rpm + ``` + +=== ":material-docker: Docker" + + For any system with docker installed you can simply build the package with: + + ```sh + make package dist= + ``` + + Then you can install the package with `dpkg`, `pacman` or `rpm`. + +### Individual profile + +**Format** + +```sh +make dev name= +``` + +**Exampe** + +: Testing the profile `pass` + + ``` + make dev name=pass + ``` + + This: + + - Prebuild the `pass` profile in complain mode to `.build`, + - Install the profile to `/etc/apparmor.d/` + - Load the profile by restarting the AppArmor service. + + +More advanced development, like editing the abstractions or working over multiple profiles at the same time requires installing the full development package. + +For this individual profile installation to work, the full package needs to be installed, regardless of the installation method ([dev](#development-package) or [stable](../install.md)). + +## Program Profiling + +### Workflow + +To discover the access needed by a program, you can use the following tools: + +1. Star the program in *complain* mode, let it initialize itself, then close it. + +1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: + - Convert the logs to AppArmor rules. + - Detect if flags such as `attach_disconnected` are needed. + - Convert all common paths to **[variables](../variables.md)**. + +1. From `aa-log` output, you can: + - Copy the rules to the profile. + - Replace some rules with **[abstractions](abstractions.md)** as 80% of the rules should already be covered by an abstraction. + +1. Then, [update the profile](#individual-profile) and start the program again. Use the program as you would normally do, but also try to run all the features of the program, e.g.: open the help, settings, etc. + +1. Run **[`aa-log`](../usage.md#apparmor-log)**. Stop the program as long as you get over 100 new rules. Add the rules to the profile. + +After 2 or 3 iterations, you should have a working profile. + +### Recommendations + +
+ +- :material-function:   **[Use the abstractions](abstractions.md)** +- :simple-files:   **[Learn how to open resources](internal.md#open-resources)** +- :fontawesome-solid-bus-simple:   **[Learn how Dbus rules are handled](dbus.md)** +- :material-sign-direction:   **[Learn about directives `#aa:`](directives.md)** +- :octicons-law-16:   **[Follow the profile guidelines](guidelines.md)** +- :octicons-light-bulb-16:   **[See other recommendations](recommendations.md)** + +
+ +!!! danger "Warning" + + Following the [profile guidelines](guidelines.md) is **mandatory** for all profiles. PRs that do not follow the guidelines will not get merged. + +### Tools + +* **[aa-notify](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions)** is a tool that will allow you to get notified on every apparmor log. + +* **[aa-logprof](https://man.archlinux.org/man/aa-logprof.8)** is another tool that will help you to generate a profile from logs. However, the logs generated by `aa-logprof` need to be rewritten to comply with the profile [guidelines](guidelines.md). + +* **[aa-complain](https://man.archlinux.org/man/aa-complain.8), aa-enforce** are tools to quickly change the mode of a profile. + + +## Development Settings + +### Profile flags + +Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. + +For instance, to move `adb` in *complain* mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: +```sh +adb complain +``` + +Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: +```sh +gnome-shell attach_disconnected,mediate_deleted,complain +``` + + +### Ignore profiles + +It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/enforce.md b/docs/enforce.md index 52241859e..692cbd1e3 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -4,37 +4,59 @@ title: Enforce Mode The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. -!!! warning +!!! danger - - Please test in complain mode first and ensure your system boots! - - When reporting an issue, please ensure the affected profiles are in complain mode. + - You **must** test in complain mode first and ensure your system works as expected. + - You **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log) and [report](report.md) issues first. + - When reporting an issue, you **must** ensure the affected profiles are in complain mode. -#### :material-arch: Arch Linux +=== ":material-arch: Archlinux" -In `PKGBUILD`, replace `make` by `make enforce`: -```diff -- make DISTRIBUTION=arch -+ make enforce DISTRIBUTION=arch -``` + In the `PKGBUILD`, replace `make` by `make enforce`: -#### :material-ubuntu: Ubuntu & :material-debian: Debian + ```diff + - make DISTRIBUTION=arch + + make enforce DISTRIBUTION=arch + ``` -In `debian/rules`, add the following lines: + Then, build the package with: `make pkg` -```make -override_dh_auto_build: - make enforce -``` +=== ":material-ubuntu: Ubuntu" -#### :simple-suse: openSUSE + In `debian/rules`, add the following lines: -In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce` -```diff -- %make_build -+ %make_build enforce -``` + ```make + override_dh_auto_build: + make enforce + ``` -#### Partial install + Then, build the package with: `make dpkg` -Use the `make enforce` command to build instead of `make` +=== ":material-debian: Debian" + + In `debian/rules`, add the following lines: + + ```make + override_dh_auto_build: + make enforce + ``` + + Then, build the package with: `make dpkg` + +=== ":simple-suse: openSUSE" + + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce` + + ```diff + - %make_build + + %make_build enforce + ``` + + Then, build the package with: `make rpm` + +=== ":material-home: Partial Install" + + Use the `make enforce` command to build instead of `make` + +[aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 2b9f57454..80da55c2a 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -31,7 +31,7 @@ Particularly: - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. -## Install +## Installation This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. @@ -43,35 +43,53 @@ cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast ``` -**:material-arch: Arch Linux** +=== ":material-arch: Archlinux" -In `PKGBUILD`, replace `make` by `make full`: -```diff -- make -+ make full -``` + In `PKGBUILD`, replace `make` by `make full`: -**:material-ubuntu: Ubuntu & :material-debian: Debian** + ```diff + - make + + make full + ``` -In `debian/rules`, add the following lines: + Then, build the package with: `make pkg` -```make -override_dh_auto_build: - make full -``` +=== ":material-ubuntu: Ubuntu" -**:simple-suse: openSUSE** + In `debian/rules`, add the following lines: -In `dists/apparmor.d.spec`, replace `%make_build` by `make full` -```diff -- %make_build -+ %make_build full -``` + ```make + override_dh_auto_build: + make full + ``` -**Partial install** + Then, build the package with: `make dpkg` -Use the `make full` command to build instead of `make` +=== ":material-debian: Debian" + + In `debian/rules`, add the following lines: + ```make + override_dh_auto_build: + make full + ``` + + Then, build the package with: `make dpkg` + +=== ":simple-suse: openSUSE" + + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full` + + ```diff + - %make_build + + %make_build full + ``` + + Then, build the package with: `make rpm` + +=== ":material-home: Partial Install" + + Use the `make full` command to build instead of `make` ## Structure @@ -113,7 +131,7 @@ To work as intended, userland services started by `systemd --user` **should** ha !!! info - To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: + To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/internal.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: ``` @{lib}/foo rPx -> systemd//&foo, ``` diff --git a/docs/index.md b/docs/index.md index 3a9381ccd..8f5696074 100644 --- a/docs/index.md +++ b/docs/index.md @@ -2,24 +2,17 @@ title: AppArmor.d --- - + **Full set of AppArmor profiles** !!! danger "Help Wanted" - This project is still in its early development. Help is very welcome; - see [Development](development/index.md) + This project is still in its early development. Help is very welcome; see [Development](development/index.md) **AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. -**Purpose** +### Purpose - Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` - Confine all Desktop environments @@ -29,26 +22,27 @@ Business Benefits of an LSM See the [Concepts](concepts.md)' page for more detail on the architecture. -**Goals** +### Goals - Target both desktops and servers - Support for all distributions that support AppArmor: * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 22.04](install.md#ubuntu-debian) - * [:material-debian: Debian 12](install.md#ubuntu-debian) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12](install.md#debian) * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) - Support for all major desktop environments: - - [x] :material-gnome: Gnome - - [ ] :simple-kde: KDE *(work in progress)* -- Fully tested (Work in progress) + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- Fully tested *(work in progress)* -**Presentations** +### Presentations Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* -**Chat** +### Chat A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/install.md b/docs/install.md index c08072343..91b0b4ae6 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,15 +2,23 @@ title: Installation --- -!!! warning - - To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. - - After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). +## Setup !!! danger - Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature. + Do **not** expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a **feature**. + +Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow: + +1. **[Configure AppArmor](#configure-apparmor)** AppArmor for *apparmor.d*. +1. **[Install](#installation)** *apparmor.d* in the (default) complain mode. +1. **[Configure your personal directories](configuration.md)**. +1. Reboot your system. +1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log). +1. **[Report](https://apparmor.pujol.io/report/)** any raised logs. +1. Use the profiles in *complain* mode for a while (a week), regularly check for new AppArmor logs. +1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md). + ## Requirements @@ -22,105 +30,167 @@ An `AppArmor` supported Linux distribution is required. The default profiles and The following desktop environments are supported: - - [x] :material-gnome: Gnome - - [x] :simple-kde: KDE - - [ ] :simple-xfce: XFCE *(work in progress)* +- [x] :material-gnome: Gnome (GDM) +- [x] :simple-kde: KDE (SDDM) +- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* **Build dependency** -* Go >= 1.18 +* Go >= 1.21 -## :material-arch: Arch Linux -`apparmor.d-git` is available in the [Arch User Repository][aur]: -``` -yay -S apparmor.d-git # or your preferred AUR install method -``` +## Configure AppArmor + +As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`: -Or without an AUR helper: ```sh -git clone https://aur.archlinux.org/apparmor.d-git.git -cd apparmor.d-git -makepkg -si +echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf +echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf ``` -## :material-ubuntu: Ubuntu & :material-debian: Debian +## Installation -Build the package from sources: -```sh -sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git -git clone https://github.com/roddhjav/apparmor.d.git -cd apparmor.d -dpkg-buildpackage -b -d --no-sign -sudo dpkg -i ../apparmor.d_*.deb -``` +=== ":material-arch: Archlinux" -!!! tip + `apparmor.d-git` is available in the [Arch User Repository][aur]: - If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + yay -S apparmor.d-git # or your preferred AUR install method ``` -!!! note + Or without an AUR helper: - Debian user may need golang from the backports repository to build: ```sh - echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list - sudo apt update - sudo apt install -t bookworm-backports golang-go + git clone https://aur.archlinux.org/apparmor.d-git.git + cd apparmor.d-git + makepkg -si ``` -!!! warning +=== ":material-ubuntu: Ubuntu" - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + Build the package from sources: - If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. - -## :simple-suse: openSUSE - -openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS -```sh -zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo -zypper refresh -zypper install apparmor.d -``` - - -## Partial install - -For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. - -```sh -make -sudo make profile-names... -``` - -!!! warning - - Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - - For instance, `sudo make pass` gives: ```sh - Warning: profile dependencies fallback to unconfined. - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, - @{bin}/python3.@{int} rPx -> pass-import, # pass-import - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + git clone https://github.com/roddhjav/apparmor.d.git + cd apparmor.d + dpkg-buildpackage -b -d --no-sign + sudo dpkg -i ../apparmor.d_*.deb ``` - So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. + + !!! tip + + If you have `devscripts` installed, you can use the one liner: + + ```sh + make dpkg + ``` + + !!! warning + + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + + If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. + +=== ":material-debian: Debian" + + Build the package from sources: + + ```sh + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + git clone https://github.com/roddhjav/apparmor.d.git + cd apparmor.d + dpkg-buildpackage -b -d --no-sign + sudo dpkg -i ../apparmor.d_*.deb + ``` + + !!! tip + + If you have `devscripts` installed, you can use the one liner: + + ```sh + make dpkg + ``` + + !!! note + + You may need golang from the backports repository to build: + + ```sh + echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list + sudo apt update + sudo apt install -t bookworm-backports golang-go + ``` + + !!! warning + + **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + + If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. + +=== ":simple-suse: openSUSE" + + openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS: + + ```sh + zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo + zypper refresh + zypper install apparmor.d + ``` + +=== ":material-home: Partial" + + For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. + + ```sh + make + sudo make profile-names... + ``` + + !!! warning + + Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) + + For instance, `sudo make pass` gives: + ```sh + Warning: profile dependencies fallback to unconfined. + @{bin}/wl-{copy,paste} rPx, + @{bin}/xclip rPx, + @{bin}/python3.@{int} rPx -> pass-import, # pass-import + @{pager_path} rPx -> child-pager, + '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' + ``` + So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. -## Uninstall +[Next: Configure your personal directories](configuration.md){ .md-button .md-button--primary } -- :material-arch: Arch Linux `sudo pacman -R apparmor.d` -- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d` -- :simple-suse: openSUSE `sudo zypper remove apparmor.d` + +## Uninstallation + +=== ":material-arch: Archlinux" + + ```sh + sudo pacman -R apparmor.d + ``` + +=== ":material-ubuntu: Ubuntu" + + ```sh + sudo apt purge apparmor.d + ``` + +=== ":material-debian: Debian" + + ```sh + sudo apt purge apparmor.d + ``` + +=== ":simple-suse: openSUSE" + + ```sh + sudo zypper remove apparmor.d + ``` [aur]: https://aur.archlinux.org/packages/apparmor.d-git -[repo]: https://repo.pujol.io/ -[keys]: https://repo.pujol.io/gpgkey diff --git a/docs/issues.md b/docs/issues.md index d9f28cfe6..1db3b195a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -2,18 +2,19 @@ title: Known issues --- -Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +!!! info -!!! info + Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. - Usually, a profile in complain mode cannot break the program it confines. - However, there are some **major exceptions**: +## Complain mode - * `deny` rules are enforced even in complain mode, - * `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, - * If AppArmor does not find the profile to transition `rPx`. +A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: -### Pacman "could not get current working directory" +1. `deny` rules are enforced even in *complain* mode, +2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, +3. If AppArmor does not find the profile to transition `rPx`. + +## Pacman "could not get current working directory" ```sh $ sudo pacman -Syu @@ -30,15 +31,3 @@ According to the Arch Linux guideline, on Arch Linux, packages cannot install fi This provides a basic protection against some packages (on the AUR) that may have rogue install script. [pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman - - -### Gnome can be very slow to start. - -[Gnome](https://github.com/roddhjav/apparmor.d/issues/80) can be slow to start. This is a known bug, help is very welcome. - -The complexity is that: - -- It works fine without AppArmor -- It works fine on most system (including test VM) -- It seems to be dbus related -- On archlinux, the dbus mediation is not enabled. So, there is nothing special to allow. diff --git a/docs/report.md b/docs/report.md index e13ac9e9f..e82d4e9e7 100644 --- a/docs/report.md +++ b/docs/report.md @@ -11,25 +11,39 @@ When creating [an issue on Github][newissue], please post a link to the [paste] aa-log -R ``` -If this command produce nothing, try: +??? question "No logs with `aa-log`?" + + If the log file is empty, check that Auditd is running: + + ```sh + sudo systemctl status auditd.service + ``` + + If Auditd is disabled aa-log will not have new results, you can enable Auditd with: + + ```sh + sudo systemctl enable auditd.service --now + ``` + +If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them): ```sh aa-log -s -R ``` -If the log file is empty, check that Auditd is running: +??? question "No logs with `aa-log -s`?" + + On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled: + + ```sh + sudo systemctl enable systemd-journald-audit.socket + ``` + +You can get older logs with: + ```sh -sudo systemctl status auditd.service +aa-log -R -f ``` - -If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command: -```sh -sudo systemctl enable auditd.service --now -``` - -You can get more logs with: - -1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) -2. `aa-log -R -f ` where `` is `1`, `2`, `3` and `4` (the rotated audit log file) +Where `` is `1`, `2`, `3` and `4` (the rotated audit log file). [newissue]: https://github.com/roddhjav/apparmor.d/issues/new [paste]: https://pastebin.com/ diff --git a/docs/usage.md b/docs/usage.md index 70eaaa292..e73439efc 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -24,9 +24,10 @@ apparmor module is loaded. ... 30 processes are in complain mode. ... +0 processes are in prompt mode. +0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. -0 processes are in kill mode. ``` You can also list the current processes alongside with their security profile with: @@ -76,9 +77,9 @@ ps (complain) user ps auxZ ## AppArmor Log -Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way. +Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way. -Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. +Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). ### Basic use diff --git a/docs/variables.md b/docs/variables.md index a70358263..ef2533c0f 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -6,8 +6,10 @@ title: Variables References ### User directories +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | @@ -26,14 +28,19 @@ title: Variables References | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | -| Vm | `@{XDG_VM_DIR}` | `.vm` -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` +| Vm | `@{XDG_VM_DIR}` | `.vm` | +| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | +| Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | + +
### Dotfiles +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | | Config | `@{XDG_CONFIG_DIR}` | `.config` | | Data | `@{XDG_DATA_DIR}` | `.local/share` | @@ -44,26 +51,32 @@ title: Variables References | SSH | `@{XDG_SSH_DIR}` | `.ssh` | | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | -| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | + +
### Full configuration path +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | -| Build | `@{user_build_dirs}` | `/tmp/` | +| Build | `@{user_build_dirs}` | `/tmp/build/` | | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | -| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | + +
### Full user path +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | @@ -80,43 +93,81 @@ title: Variables References | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | -| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | +| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | + +
## System variables -!!! warning +!!! danger Do not modify these variables unless you know what you are doing -**Helper variables** +#### Base variables + +
| Description | Name | Default Value(s) | -|-------------|:----:|---------------| -| Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | -| Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | -| Hexadecimal | `@{h}*@{h}` | | -| Universally unique identifier | `@{uuid}` | | -| Current Process id | `@{pid}` | `[0-9]*` | -| Processes ids | `@{pids}` | `[0-9]*` | -| User id | `@{uid}` | `[0-9]*` | -| Thread id | `@{tid}` | `[0-9]*` | -| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` | +|-------------|------|------------------| +| Any digit | `@{d}` | `[0-9]` | +| Any letter | `@{l}` | `[a-zA-Z]` | | Single alphanumeric character | `@{c}` | `[0-9a-zA-Z]` | -| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | -| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | -| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | +| Word character: matches any letter, digit or underscore. | `@{w}` | `[0-9a-zA-Z_]` | +| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` | +| Integer up to 10 digits (0-9999999999) | `@{int}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}` | +| Unsigned integer over 8 bits (0-255) | `@{u8}` | `[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]` | +| Unsigned integer over 16 bits (0-65535, 5 digits) | `@{u16}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}` | +| Hexadecimal up to 64 characters | `@{hex}` | | +| Alphanumeric up to 64 characters | `@{rand}` | | +| Word up to 64 characters | `@{word}` | | -**System Paths** +
+ +#### Basic variables of a given length + +
+ +| Description | Name | +|-------------|------| +| Any x digits characters | `@{int2}` `@{int4}` `@{int6}` `@{int8}` `@{int9}` `@{int10}` `@{int12}` `@{int15}` `@{int16}` `@{int32}` `@{int64}` | +| Any x hexadecimal characters | `@{hex2}` `@{hex4}` `@{hex6}` `@{hex8}` `@{hex9}` `@{hex10}` `@{hex12}` `@{hex15}` `@{hex16}` `@{hex32}` `@{hex38}` `@{hex64}` | +| Any x alphanumeric characters | `@{rand2}` `@{rand4}` `@{rand6}` `@{rand8}` `@{rand9}` `@{rand10}` `@{rand12}` `@{rand15}` `@{rand16}` `@{rand32}` `@{rand64}` | +| Any x word characters | `@{word2}` `@{word4}` `@{word6}` `@{word8}` `@{word9}` `@{word10}` `@{word12}` `@{word15}` `@{word16}` `@{word32}` `@{word64}` | + +
+ +#### System Variables + +
| Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| +| Common architecture names | `@{arch}` | `x86_64 amd64 i386 i686` | +| Dbus unique name | `@{busname}` | `:1.@{u16} :not.active.yet` | +| Universally unique identifier | `@{uuid}` | `@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}` | +| Username valid characters | `@{user}` | `[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}` | +| Group valid characters | `@{group}` | `@{user}` | +| Semantic version | `@{version}` | `@{int}{.@{int},}{.@{int},}{-@{rand},}` | +| Current Process Id | `@{pid}` | `{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}` | +| Processes Ids | `@{pids}` | `@{pid}` | +| Thread Id | `@{tid}` | `@{pid}` | +| User Id (equivalent to `@{int}`) | `@{uid}` | `{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}` | + +
+ +#### System Paths + +
+ +| Description | Name | Default Value(s) | +|-------------|------|------------------| | Root Home | `@{HOMEDIRS}` | `/home/` | | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | -| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/ /mnt/` | -| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/` | +| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | +| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | | Bin | `@{bin}` | `/{usr/,}{s,}bin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | @@ -126,13 +177,29 @@ title: Variables References | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` | | Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | -**Program paths** +
+ +#### System Internal | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| +| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | +| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | +| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | +| HCI devices | `@{hci_id}` | `dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}` | +| Udev data dynamic assignment ranges (234 to 254 then 384 to 511) | `@{dynamic}` | `23[4-9] 24[0-9] 25[0-4] 38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]` | + +#### Program paths + +
+ +| Description | Name | Default Value(s) | +|-------------|------|------------------| | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` | | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) | | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` | -| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop` +| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop` | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11) + +
diff --git a/go.mod b/go.mod index bec7213d7..f98df5c19 100644 --- a/go.mod +++ b/go.mod @@ -1,13 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.21 - -require ( - github.com/stretchr/testify v1.9.0 - gopkg.in/yaml.v3 v3.0.1 -) - -require ( - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect -) +go 1.22 diff --git a/go.sum b/go.sum index 60ce688a0..e69de29bb 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +0,0 @@ -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/mkdocs.yml b/mkdocs.yml index d72fd86b7..9390b3dde 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -43,8 +43,10 @@ theme: - content.action.edit - content.code.annotate - content.code.copy + - content.tabs.link - content.tooltips - navigation.indexes + - navigation.instant - navigation.sections - navigation.tabs - navigation.top @@ -62,11 +64,16 @@ plugins: - offline: enabled: !ENV [MKDOCS_OFFLINE, true] - git-revision-date-localized: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, True] + enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] enable_creation_date: true fallback_to_build_date: true - minify: minify_html: true + - git-committers: + enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] + token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY] + repository: roddhjav/apparmor.d + branch: main # Customization extra: @@ -110,7 +117,9 @@ markdown_extensions: user: squidfunk repo: mkdocs-material - pymdownx.smartsymbols - - pymdownx.snippets + - pymdownx.snippets: + auto_append: + - docs/abbreviations.md - pymdownx.superfences: custom_fences: - name: mermaid @@ -118,6 +127,9 @@ markdown_extensions: format: !!python/name:pymdownx.superfences.fence_code_format - pymdownx.tabbed: alternate_style: true + slugify: !!python/object/apply:pymdownx.slugs.slugify + kwds: + case: lower - pymdownx.tasklist: custom_checkbox: true @@ -130,24 +142,24 @@ nav: - install.md - configuration.md - usage.md + - report.md - Advanced: - variables.md - enforce.md - full-system-policy.md - Troubleshooting: - issues.md - - report.md - recovery.md - Development: - development/index.md - - Architecture: - - development/install.md + - Profiles: + - development/workflow.md - development/guidelines.md - - development/structure.md - - Profile: - development/abstractions.md + - development/internal.md - development/directives.md - development/dbus.md + - development/recommendations.md - Tests: - development/tests.md - development/integration.md diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 75c009c86..a887d4b98 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -32,7 +32,9 @@ func NewAppArmorProfile() *AppArmorProfileFile { func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ + &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -40,11 +42,13 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true}, &Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, + &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, + &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index d7a22b5bb..0cc74d438 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -10,7 +10,6 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -21,7 +20,7 @@ var ( // mustReadProfileFile read a file and return its content as a slice of string. // It panics if an error occurs. It removes the last comment line. func mustReadProfileFile(path *paths.Path) string { - res := strings.Split(util.MustReadFile(path), "\n") + res := strings.Split(path.MustReadFileAsString(), "\n") return strings.Join(res[:len(res)-2], "\n") } @@ -108,7 +107,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { }, }}, }, - want: util.MustReadFile(testData.Join("string.aa")), + want: testData.Join("string.aa").MustReadFileAsString(), }, } for _, tt := range tests { @@ -208,7 +207,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Comment{Base: Base{Comment: " Copyright (C) 2021-2024 Alexandre Pujol ", IsLineRule: true}}, &Comment{Base: Base{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}}, nil, - &Abi{IsMagic: true, Path: "abi/3.0"}, + &Abi{IsMagic: true, Path: "abi/4.0"}, &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, diff --git a/pkg/aa/base.go b/pkg/aa/base.go index 967466520..609525111 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -9,8 +9,8 @@ import ( ) type Base struct { - IsLineRule bool Comment string + IsLineRule bool NoNewPrivs bool FileInherit bool Optional bool diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 50b23bae9..36c7101a4 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -29,7 +29,7 @@ func init() { } } -func isOwner(log map[string]string) bool { +func IsOwner(log map[string]string) bool { fsuid, hasFsUID := log["fsuid"] ouid, hasOuUID := log["ouid"] isDbus := strings.Contains(log["operation"], "dbus") @@ -98,7 +98,7 @@ func newFileFromLog(log map[string]string) Rule { return &File{ Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: isOwner(log), + Owner: IsOwner(log), Path: log["name"], Access: accesses, Target: log["target"], @@ -118,6 +118,27 @@ func (r *File) String() string { } func (r *File) Validate() error { + if r.Path == "" && r.Target == "" && len(r.Access) == 0 { + return nil // rule: `file` or `owner file` + } + if !isAARE(r.Path) { + return fmt.Errorf("'%s' is not a valid AARE", r.Path) + } + if len(r.Access) == 0 { + return fmt.Errorf("missing file access") + } + for _, v := range r.Access { + if v == "" { + continue + } + if !slices.Contains(requirements[r.Kind()]["access"], v) && + !slices.Contains(requirements[r.Kind()]["transition"], v) { + return fmt.Errorf("invalid mode '%s'", v) + } + } + if r.Target != "" && !isAARE(r.Target) { + return fmt.Errorf("'%s' is not a valid AARE", r.Target) + } return nil } @@ -241,7 +262,7 @@ func newLinkFromLog(log map[string]string) Rule { return &Link{ Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: isOwner(log), + Owner: IsOwner(log), Path: log["name"], Target: log["target"], } @@ -260,6 +281,12 @@ func (r *Link) String() string { } func (r *Link) Validate() error { + if !isAARE(r.Path) { + return fmt.Errorf("'%s' is not a valid AARE", r.Path) + } + if !isAARE(r.Target) { + return fmt.Errorf("'%s' is not a valid AARE", r.Target) + } return nil } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 914efc2ff..a9d8dbeaf 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -16,11 +16,20 @@ const ( func init() { requirements[MOUNT] = requirement{ + "flags_bind": { + "B", "bind", "R", "rbind", + }, + "flags_change": { + "remount", "unbindable", "shared", "private", "slave", "runbindable", + "rshared", "rprivate", "rslave", "make-unbindable", "make-shared", + "make-private", "make-slave", "make-runbindable", "make-rshared", + "make-rprivate", "make-rslave", + }, "flags": { - "acl", "async", "atime", "ro", "rw", "bind", "rbind", "dev", - "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", - "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", - "nomand", "norelatime", "nosuid", "nouser", "private", "relatime", + "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", + "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", + "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", + "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 88808a375..ef8a7acd9 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -187,11 +187,11 @@ func parseParagraph(input string) (Rules, error) { } res = append(res, rrr...) - for _, r := range res { - if r.Constraint() == PreambleRule { - return nil, fmt.Errorf("Rule not allowed in block: %s", r) - } - } + // for _, r := range res { + // if r.Constraint() == PreambleRule { + // return nil, fmt.Errorf("Rule not allowed in block: %s", r) + // } + // } return res, nil } @@ -495,9 +495,15 @@ func (r rule) String() string { } func isAARE(str string) bool { - return strings.HasPrefix(str, "@") || - strings.HasPrefix(str, "/") || - strings.HasPrefix(str, "\"") + if len(str) < 1 { + return false + } + switch str[0] { + case '@', '/', '"': + return true + default: + return false + } } // Convert a slice of internal rules to a slice of ApparmorRule. @@ -652,8 +658,8 @@ done: } // Parse apparmor profile rules by paragraphs -func ParseRules(input string) ([]Rules, []string, error) { - paragraphRules := []Rules{} +func ParseRules(input string) (ParaRules, []string, error) { + paragraphRules := ParaRules{} paragraphs := []string{} for _, match := range regParagraph.FindAllStringSubmatch(input, -1) { diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 9cc011f38..71607fd32 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -8,8 +8,6 @@ import ( "reflect" "strings" "testing" - - "github.com/roddhjav/apparmor.d/pkg/util" ) func Test_tokenizeRule(t *testing.T) { @@ -843,7 +841,7 @@ var ( raw string apparmor *AppArmorProfileFile wParseErr bool - wRules []Rules + wRules ParaRules wParseRulesErr bool }{ { @@ -851,7 +849,7 @@ var ( raw: "", apparmor: &AppArmorProfileFile{}, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { @@ -875,7 +873,7 @@ var ( }, }, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { @@ -914,12 +912,12 @@ var ( }, }, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { name: "string.aa", - raw: util.MustReadFile(testData.Join("string.aa")), + raw: testData.Join("string.aa").MustReadFileAsString(), apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, @@ -943,7 +941,7 @@ var ( }, }, wParseErr: false, - wRules: []Rules{ + wRules: ParaRules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, @@ -1017,7 +1015,7 @@ var ( }, { name: "full.aa", - raw: util.MustReadFile(testData.Join("full.aa")), + raw: testData.Join("full.aa").MustReadFileAsString(), apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, @@ -1050,7 +1048,7 @@ var ( }, }, wParseErr: false, - wRules: []Rules{ + wRules: ParaRules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index ec5068971..30e8b106f 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -139,16 +139,18 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ + // class "rlimits": newRlimitFromLog, - "cap": newCapabilityFromLog, - "io_uring": newIOUringFromLog, - "signal": newSignalFromLog, - "ptrace": newPtraceFromLog, "namespace": newUsernsFromLog, - "unix": newUnixFromLog, - "dbus": newDbusFromLog, + "cap": newCapabilityFromLog, + "net": newNetworkFromLog, "posix_mqueue": newMqueueFromLog, "sysv_mqueue": newMqueueFromLog, + "signal": newSignalFromLog, + "ptrace": newPtraceFromLog, + "unix": newUnixFromLog, + "io_uring": newIOUringFromLog, + "dbus": newDbusFromLog, "mount": func(log map[string]string) Rule { if strings.Contains(log["flags"], "remount") { return newRemountFromLog(log) @@ -156,7 +158,6 @@ var ( newRule := newLogMountMap[log["operation"]] return newRule(log) }, - "net": newNetworkFromLog, "file": func(log map[string]string) Rule { if log["operation"] == "change_onexec" { return newChangeProfileFromLog(log) @@ -164,14 +165,19 @@ var ( return newFileFromLog(log) } }, - "exec": newFileFromLog, - "getattr": newFileFromLog, - "mkdir": newFileFromLog, - "mknod": newFileFromLog, - "open": newFileFromLog, - "rename_src": newFileFromLog, - "truncate": newFileFromLog, - "unlink": newFileFromLog, + // operation + "capable": newCapabilityFromLog, + "chmod": newFileFromLog, + "exec": newFileFromLog, + "getattr": newFileFromLog, + "link": newFileFromLog, + "mkdir": newFileFromLog, + "mknod": newFileFromLog, + "open": newFileFromLog, + "rename_dest": newFileFromLog, + "rename_src": newFileFromLog, + "truncate": newFileFromLog, + "unlink": newFileFromLog, } newLogMountMap = map[string]func(log map[string]string) Rule{ "mount": newMountFromLog, @@ -213,7 +219,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s", log["operation"]) + fmt.Printf("unknown log type: %s\n", log["operation"]) } } } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 26a03691e..6ce768bc0 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -10,7 +10,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -149,7 +148,7 @@ func (f *AppArmorProfileFile) resolveInclude(include *Include) error { iFile := &AppArmorProfileFile{} for _, file := range files { - raw, err := util.ReadFile(file) + raw, err := file.ReadFileAsString() if err != nil { return err } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index 77e05e320..ee50532a9 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -124,7 +124,7 @@ var ( wString: "include if exists ", }, { - name: "include/abs", + name: "include-abs", rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true}, wCompare: -1, @@ -190,7 +190,7 @@ var ( wString: "capability net_admin,", }, { - name: "capability/multi", + name: "capability-multi", rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, other: capability2, wCompare: -15, @@ -198,7 +198,7 @@ var ( wString: "capability dac_override dac_read_search,", }, { - name: "capability/all", + name: "capability-all", rule: &Capability{}, other: capability2, wCompare: -1, @@ -222,7 +222,7 @@ var ( log: mount1Log, rule: mount1, other: mount2, - wCompare: 38, + wCompare: 37, wMerge: false, wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, @@ -250,7 +250,7 @@ var ( log: pivotroot1Log, rule: pivotroot1, other: pivotroot2, - wCompare: 7, + wCompare: -5, wMerge: false, wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", }, @@ -307,7 +307,7 @@ var ( wString: "signal receive set=kill peer=firefox//&firejail-default,", }, { - name: "ptrace/xdg-document-portal", + name: "ptrace-xdg-document-portal", fromLog: newPtraceFromLog, log: ptrace1Log, rule: ptrace1, @@ -317,7 +317,7 @@ var ( wString: "ptrace read peer=nautilus,", }, { - name: "ptrace/snap-update-ns.firefox", + name: "ptrace-snap-update-ns.firefox", fromLog: newPtraceFromLog, log: ptrace2Log, rule: ptrace2, @@ -355,7 +355,7 @@ var ( wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", }, { - name: "dbus/bind", + name: "dbus-bind", rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, other: dbus2, wCompare: -39, @@ -381,31 +381,33 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file/empty", + name: "file-all", rule: &File{}, other: &File{}, wCompare: 0, wMerge: true, - wString: " ,", + wString: " ,", // FIXME: }, { - name: "file/equal", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: 0, - wMerge: true, - wString: "/usr/share/poppler/cMap/Identity-H ,", + name: "file-equal", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wValidErr: true, + wCompare: 0, + wMerge: true, + wString: "/usr/share/poppler/cMap/Identity-H ,", }, { - name: "file/owner", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: 1, - wMerge: false, - wString: "owner /usr/share/poppler/cMap/Identity-H ,", + name: "file-owner", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 1, + wValidErr: true, + wMerge: false, + wString: "owner /usr/share/poppler/cMap/Identity-H ,", }, { - name: "file/access", + name: "file-access", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, wCompare: -5, @@ -413,12 +415,13 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file/close", - rule: &File{Path: "/usr/share/poppler/cMap/"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: -10, - wMerge: false, - wString: "/usr/share/poppler/cMap/ ,", + name: "file-close", + rule: &File{Path: "/usr/share/poppler/cMap/"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: -10, + wValidErr: true, + wMerge: false, + wString: "/usr/share/poppler/cMap/ ,", }, { name: "link1", diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index 637412278..8e8ed5d95 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -94,7 +94,7 @@ func (r Rules) Delete(i int) Rules { } func (r Rules) DeleteKind(kind Kind) Rules { - res := make(Rules, 0) + res := make(Rules, 0, len(r)) for _, rule := range r { if rule == nil { continue @@ -106,8 +106,8 @@ func (r Rules) DeleteKind(kind Kind) Rules { return res } -func (r Rules) Filter(filter Kind) Rules { - res := make(Rules, 0) +func (r Rules) FilterOut(filter Kind) Rules { + res := make(Rules, 0, len(r)) for _, rule := range r { if rule == nil { continue @@ -119,8 +119,21 @@ func (r Rules) Filter(filter Kind) Rules { return res } +func (r Rules) Filter(filter Kind) Rules { + res := make(Rules, 0, len(r)) + for _, rule := range r { + if rule == nil { + continue + } + if rule.Kind() == filter { + res = append(res, rule) + } + } + return res +} + func (r Rules) GetVariables() []*Variable { - res := make([]*Variable, 0) + res := make([]*Variable, 0, len(r)) for _, rule := range r { switch rule := rule.(type) { case *Variable: @@ -131,7 +144,7 @@ func (r Rules) GetVariables() []*Variable { } func (r Rules) GetIncludes() []*Include { - res := make([]*Include, 0) + res := make([]*Include, 0, len(r)) for _, rule := range r { switch rule := rule.(type) { case *Include: @@ -247,3 +260,20 @@ func (r Rules) Format() Rules { r.setPaddings(paddingsIndex, paddingsMaxLen) return r } + +// ParaRules is a slice of Rules grouped by paragraph +type ParaRules []Rules + +func (r ParaRules) Flatten() Rules { + totalLen := 0 + for i := range r { + totalLen += len(r[i]) + } + + res := make(Rules, 0, totalLen) + for i := range r { + res = append(res, r[i]...) + } + + return res +} diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 18f07bc2e..cb00d2f36 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -35,17 +35,10 @@ var ( // The apparmor templates tmpl = generateTemplates([]Kind{ // Global templates - "apparmor", - PROFILE, - HAT, - "rules", + "apparmor", PROFILE, HAT, "rules", // Preamble templates - ABI, - ALIAS, - INCLUDE, - VARIABLE, - COMMENT, + ABI, ALIAS, INCLUDE, VARIABLE, COMMENT, // Rules templates ALL, RLIMIT, USERNS, CAPABILITY, NETWORK, @@ -138,7 +131,7 @@ var ( // The order AARE should be sorted stringAlphabet = []byte( - "!\"#$%&'*(){}[]+,-./:;<=>?@\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", + "!\"#$%&'*(){}[]@+,-./:;<=>?\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", ) stringWeights = generateWeights(stringAlphabet) @@ -232,11 +225,11 @@ func cjoin(i any) string { } } -func kindOf(i any) string { +func kindOf(i Rule) string { if i == nil { return "" } - return i.(Rule).Kind().String() + return i.Kind().String() } func setindent(i string) string { diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index e6c91ac93..7f5af2e08 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int { // Println prints a formatted message. Arguments are handled in the manner of fmt.Println. func Println(msg string) int { - n, _ := fmt.Fprintf(os.Stdout, msg+"\n") + n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg) return n } @@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string { // Bullet prints a formatted bullet point string func Bullet(msg string, a ...interface{}) int { - return Print(Bulletf(msg, a...)) + return Print("%s", Bulletf(msg, a...)) } // Stepf returns a formatted step string @@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string { // Step prints a step title func Step(msg string, a ...interface{}) int { - return Print(Stepf(msg, a...)) + return Print("%s", Stepf(msg, a...)) } // Successf returns a formatted success string @@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string { // Success prints a formatted success message to stdout func Success(msg string, a ...interface{}) int { - return Print(Successf(msg, a...)) + return Print("%s", Successf(msg, a...)) } // Warningf returns a formatted warning string @@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string { // Warning prints a formatted warning message to stdout func Warning(msg string, a ...interface{}) int { - return Print(Warningf(msg, a...)) + return Print("%s", Warningf(msg, a...)) } // Fatalf returns a formatted error message func Error(msg string, a ...interface{}) int { - return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) + return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } // Fatalf returns a formatted error message diff --git a/pkg/logging/logging_test.go b/pkg/logging/logging_test.go index ebfe48afd..eb912595e 100644 --- a/pkg/logging/logging_test.go +++ b/pkg/logging/logging_test.go @@ -10,7 +10,7 @@ func TestPrint(t *testing.T) { msg := "Print message" wantN := 13 - gotN := Print(msg) + gotN := Print("%s", msg) if gotN != wantN { t.Errorf("Print() = %v, want %v", gotN, wantN) } @@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) { func TestBulletf(t *testing.T) { msg := "Bullet message" want := "\033[1m ⋅ \033[0mBullet message\n" - if got := Bulletf(msg); got != want { + if got := Bulletf("%s", msg); got != want { t.Errorf("Bulletf() = %v, want %v", got, want) } } @@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) { func TestBullet(t *testing.T) { msg := "Bullet message" wantN := 28 - gotN := Bullet(msg) + gotN := Bullet("%s", msg) if gotN != wantN { t.Errorf("Bullet() = %v, want %v", gotN, wantN) } @@ -45,7 +45,7 @@ func TestBullet(t *testing.T) { func TestStepf(t *testing.T) { msg := "Step message" want := "\033[1;32mStep message\033[0m\n" - if got := Stepf(msg); got != want { + if got := Stepf("%s", msg); got != want { t.Errorf("Stepf() = %v, want %v", got, want) } } @@ -53,7 +53,7 @@ func TestStepf(t *testing.T) { func TestStep(t *testing.T) { msg := "Step message" wantN := 24 - gotN := Step(msg) + gotN := Step("%s", msg) if gotN != wantN { t.Errorf("Step() = %v, want %v", gotN, wantN) } @@ -62,7 +62,7 @@ func TestStep(t *testing.T) { func TestSuccessf(t *testing.T) { msg := "Success message" want := "\033[1;32m ✓ \033[0mSuccess message\n" - if got := Successf(msg); got != want { + if got := Successf("%s", msg); got != want { t.Errorf("Successf() = %v, want %v", got, want) } } @@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) { func TestSuccess(t *testing.T) { msg := "Success message" wantN := 32 - gotN := Success(msg) + gotN := Success("%s", msg) if gotN != wantN { t.Errorf("Success() = %v, want %v", gotN, wantN) } @@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) { func TestWarningf(t *testing.T) { msg := "Warning message" want := "\033[1;33m ‼ \033[0mWarning message\n" - if got := Warningf(msg); got != want { + if got := Warningf("%s", msg); got != want { t.Errorf("Warningf() = %v, want %v", got, want) } } @@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) { func TestWarning(t *testing.T) { msg := "Warning message" wantN := 32 - gotN := Warning(msg) + gotN := Warning("%s", msg) if gotN != wantN { t.Errorf("Warning() = %v, want %v", gotN, wantN) } @@ -96,7 +96,7 @@ func TestWarning(t *testing.T) { func TestError(t *testing.T) { msg := "Error message" wantN := 30 - gotN := Error(msg) + gotN := Error("%s", msg) if gotN != wantN { t.Errorf("Error() = %v, want %v", gotN, wantN) } @@ -105,7 +105,7 @@ func TestError(t *testing.T) { func TestFatalf(t *testing.T) { msg := "Error message" want := "\033[1;31m ✗ Error: \033[0mError message\n" - if got := Fatalf(msg); got != want { + if got := Fatalf("%s", msg); got != want { t.Errorf("Fatalf() = %v, want %v", got, want) } } diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 15fa1fbc8..d1a485344 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -30,7 +30,7 @@ func TestGetJournalctlLogs(t *testing.T) { "apparmor": "ALLOWED", "label": "gsd-xsettings", "operation": "dbus_method_call", - "name": ":*", + "name": "@{busname}", "mask": "receive", "bus": "session", "path": "/org/gtk/Settings", @@ -50,8 +50,8 @@ func TestGetJournalctlLogs(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { reader, _ := GetJournalctlLogs(tt.path, tt.useFile) - if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + if got := New(reader, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index c1bcf81df..194e6dc03 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -28,11 +28,14 @@ const ( boldYellow = "\033[1;33m" ) +const ( + h = `[0-9a-fA-F]` + d = `[0-9]` +) + var ( quoted bool isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) - _hex = `[0-9a-fA-F]` - _int = `[0-9]` regCleanLogs = util.ToRegexRepl([]string{ // Clean apparmor log file `.*apparmor="`, `apparmor="`, @@ -40,8 +43,8 @@ var ( `\x1d`, " ", // Remove basic rules from abstractions/base - `(?m)^.*/etc/[^/]+so.*$`, ``, - `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``, + `(?m)^.*/etc/[^/]+\.so.*$`, ``, + `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+\.so.*$`, ``, `(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``, `(?m)^.*/usr/share/locale[^/]?/.*$`, ``, `(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``, @@ -61,40 +64,47 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/usr/(lib|lib32|lib64|libexec)`, `@{lib}`, + `/att/[^/@]+`, `@{att}/`, + `/usr/lib(32|64|exec)`, `@{lib}`, + `/usr/lib`, `@{lib}`, `/usr/(bin|sbin)`, `@{bin}`, - `x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`, + `(x86_64|amd64|i386|i686)`, `@{arch}`, + `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, `/var/run/`, `@{run}/`, `/run/`, `@{run}/`, `user/[0-9]*/`, `user/@{uid}/`, `/tmp/user/@{uid}/`, `@{tmp}/`, `/proc/`, `@{PROC}/`, + `@{PROC}/1/`, `@{PROC}/one/`, // Go does not support lookahead assertions like (?!1\b)d+, so we have to use a workaround `@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`, + `@{PROC}/one/`, `@{PROC}/1/`, `@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`, `/sys/`, `@{sys}/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`, - `pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`, - `@{pci_bus}/[0-9a-f:*./]*`, `@{pci}/`, + `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, + `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, + `@{att}//`, `@{att}/`, // Some system glob - `:1.[0-9]*`, `:*`, // dbus peer name + `:not.active.yet`, `@{busname}`, // dbus unique bus name + `:1.[0-9]*`, `@{busname}`, // dbus unique bus name `@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell `@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses // int, hex, uuid - strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`, - strings.Repeat(_int, 64), `@{int64}`, - strings.Repeat(_hex, 64), `@{hex64}`, - strings.Repeat(_hex, 38), `@{hex38}`, - strings.Repeat(_int, 32), `@{int32}`, - strings.Repeat(_hex, 32), `@{hex32}`, - strings.Repeat(_int, 16), `@{int16}`, - strings.Repeat(_hex, 16), `@{hex16}`, - strings.Repeat(_int, 10), `@{int10}`, - strings.Repeat(_int, 8), `@{int8}`, - strings.Repeat(_int, 6), `@{int6}`, + strings.Repeat(h, 8) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 12), `@{uuid}`, + strings.Repeat(d, 64), `@{int64}`, + strings.Repeat(h, 64), `@{hex64}`, + strings.Repeat(h, 38), `@{hex38}`, + strings.Repeat(d, 32), `@{int32}`, + strings.Repeat(h, 32), `@{hex32}`, + strings.Repeat(d, 16), `@{int16}`, + strings.Repeat(h, 16), `@{hex16}`, + strings.Repeat(d, 10), `@{int10}`, + strings.Repeat(d, 8), `@{int8}`, + strings.Repeat(d, 6), `@{int6}`, }) ) @@ -117,8 +127,8 @@ func toQuote(str string) string { return str } -// NewApparmorLogs return a new ApparmorLogs list of map from a log file -func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { +// New returns a new ApparmorLogs list of map from a log file +func New(file io.Reader, profile string) AppArmorLogs { logs := GetApparmorLogs(file, profile) // Parse log into ApparmorLog struct @@ -130,7 +140,12 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { aa := make(AppArmorLog) for _, item := range tmp { - kv := strings.Split(item, "=") + kv := strings.FieldsFunc(item, func(r rune) bool { + if r == '"' { + quoted = !quoted + } + return !quoted && r == '=' + }) if len(kv) >= 2 { key, value := kv[0], kv[1] if slices.Contains(toClean, key) { @@ -187,12 +202,11 @@ func (aaLogs AppArmorLogs) String() string { for _, log := range aaLogs { seen := map[string]bool{"apparmor": true} res.WriteString(state[log["apparmor"]]) - fsuid := log["fsuid"] - ouid := log["ouid"] + owner := aa.IsOwner(log) for _, key := range keys { if item, present := log[key]; present { - if key == "name" && fsuid == ouid && !strings.Contains(log["operation"], "dbus") { + if key == "name" && owner { res.WriteString(template[key] + " owner" + reset) } if temp, present := template[key]; present { diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index cc4b93ed9..6ddd5ac9e 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -174,14 +174,14 @@ func TestAppArmorEvents(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file := strings.NewReader(tt.event) - if got := NewApparmorLogs(file, ""); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + if got := New(file, ""); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } } -func TestNewApparmorLogs(t *testing.T) { +func TestNew(t *testing.T) { tests := []struct { name string path string @@ -208,7 +208,7 @@ func TestNewApparmorLogs(t *testing.T) { "apparmor": "DENIED", "profile": "dnsmasq", "operation": "open", - "name": "@{PROC}/@{pid}/environ", + "name": "@{PROC}/1/environ", "comm": "dnsmasq", "requested_mask": "r", "denied_mask": "r", @@ -247,12 +247,53 @@ func TestNewApparmorLogs(t *testing.T) { path: filepath.Join(testdata, "audit.log"), want: refPowerProfiles, }, + { + name: "signal-desktop", + path: filepath.Join(testdata, "audit.log"), + want: AppArmorLogs{ + { + "apparmor": "ALLOWED", + "profile": "signal-desktop", + "operation": "open", + "class": "file", + "name": "@{sys}/devices/@{pci}/boot_vga", + "comm": "signal-desktop", + "requested_mask": "r", + "denied_mask": "r", + "fsuid": "1000", + "ouid": "0", + "FSUID": "user", + "OUID": "root", + }, + }, + }, + { + name: "startplasma", + path: filepath.Join(testdata, "audit.log"), + want: AppArmorLogs{ + { + "apparmor": "ALLOWED", + "operation": "link", + "class": "file", + "profile": "startplasma", + "name": "@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz", + "target": "@{user_cache_dirs}/#@{int}", + "comm": "startplasma-way", + "denied_mask": "k", + "requested_mask": "k", + "fsuid": "1000", + "ouid": "1000", + "FSUID": "user", + "OUID": "user", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file, _ := os.Open(tt.path) - if got := NewApparmorLogs(file, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + if got := New(file, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } diff --git a/pkg/paths/list_test.go b/pkg/paths/list_test.go deleted file mode 100644 index eaafc82ce..000000000 --- a/pkg/paths/list_test.go +++ /dev/null @@ -1,169 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "fmt" - "testing" - - "github.com/stretchr/testify/require" -) - -func TestListConstructors(t *testing.T) { - list0 := NewPathList() - require.Len(t, list0, 0) - - list1 := NewPathList("test") - require.Len(t, list1, 1) - require.Equal(t, "[test]", fmt.Sprintf("%s", list1)) - - list3 := NewPathList("a", "b", "c") - require.Len(t, list3, 3) - require.Equal(t, "[a b c]", fmt.Sprintf("%s", list3)) - - require.False(t, list3.Contains(New("d"))) - require.True(t, list3.Contains(New("a"))) - require.False(t, list3.Contains(New("d/../a"))) - - require.False(t, list3.ContainsEquivalentTo(New("d"))) - require.True(t, list3.ContainsEquivalentTo(New("a"))) - require.True(t, list3.ContainsEquivalentTo(New("d/../a"))) - - list4 := list3.Clone() - require.Equal(t, "[a b c]", fmt.Sprintf("%s", list4)) - list4.AddIfMissing(New("d")) - require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) - list4.AddIfMissing(New("b")) - require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) - list4.AddAllMissing(NewPathList("a", "e", "i", "o", "u")) - require.Equal(t, "[a b c d e i o u]", fmt.Sprintf("%s", list4)) -} - -func TestListSorting(t *testing.T) { - list := NewPathList( - "pointless", - "spare", - "carve", - "unwieldy", - "empty", - "bow", - "tub", - "grease", - "error", - "energetic", - "depend", - "property") - require.Equal(t, "[pointless spare carve unwieldy empty bow tub grease error energetic depend property]", fmt.Sprintf("%s", list)) - list.Sort() - require.Equal(t, "[bow carve depend empty energetic error grease pointless property spare tub unwieldy]", fmt.Sprintf("%s", list)) -} - -func TestListFilters(t *testing.T) { - list := NewPathList( - "aaaa", - "bbbb", - "cccc", - "dddd", - "eeff", - "aaaa/bbbb", - "eeee/ffff", - "gggg/hhhh", - ) - - l1 := list.Clone() - l1.FilterPrefix("a") - require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l1)) - - l2 := list.Clone() - l2.FilterPrefix("b") - require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l2)) - - l3 := list.Clone() - l3.FilterOutPrefix("b") - require.Equal(t, "[aaaa cccc dddd eeff eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l3)) - - l4 := list.Clone() - l4.FilterPrefix("a", "b") - require.Equal(t, "[aaaa bbbb aaaa/bbbb]", fmt.Sprintf("%s", l4)) - - l5 := list.Clone() - l5.FilterPrefix("test") - require.Equal(t, "[]", fmt.Sprintf("%s", l5)) - - l6 := list.Clone() - l6.FilterOutPrefix("b", "c", "h") - require.Equal(t, "[aaaa dddd eeff eeee/ffff]", fmt.Sprintf("%s", l6)) - - l7 := list.Clone() - l7.FilterSuffix("a") - require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l7)) - - l8 := list.Clone() - l8.FilterSuffix("a", "h") - require.Equal(t, "[aaaa gggg/hhhh]", fmt.Sprintf("%s", l8)) - - l9 := list.Clone() - l9.FilterSuffix("test") - require.Equal(t, "[]", fmt.Sprintf("%s", l9)) - - l10 := list.Clone() - l10.FilterOutSuffix("a") - require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l10)) - - l11 := list.Clone() - l11.FilterOutSuffix("a", "h") - require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff]", fmt.Sprintf("%s", l11)) - - l12 := list.Clone() - l12.FilterOutSuffix("test") - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l12)) - - l13 := list.Clone() - l13.FilterOutSuffix() - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l13)) - - l14 := list.Clone() - l14.FilterSuffix() - require.Equal(t, "[]", fmt.Sprintf("%s", l14)) - - l15 := list.Clone() - l15.FilterOutPrefix() - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l15)) - - l16 := list.Clone() - l16.FilterPrefix() - require.Equal(t, "[]", fmt.Sprintf("%s", l16)) - - l17 := list.Clone() - l17.Filter(func(p *Path) bool { - return p.Base() == "bbbb" - }) - require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l17)) -} diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index b77adfa66..feb1e21c4 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -35,9 +35,12 @@ import ( "io/fs" "os" "path/filepath" + "slices" "strings" "syscall" "time" + + "github.com/roddhjav/apparmor.d/pkg/util" ) // Path represents a path @@ -360,6 +363,31 @@ func (p *Path) CopyTo(dst *Path) error { return nil } +// CopyTo recursivelly copy all files from a source path to a destination path. +func CopyTo(src *Path, dst *Path) error { + files, err := src.ReadDirRecursiveFiltered(nil, + FilterOutDirectories(), + FilterOutNames("README.md"), + ) + if err != nil { + return err + } + for _, file := range files { + destination, err := file.RelFrom(src) + if err != nil { + return err + } + destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } + if err := file.CopyTo(destination); err != nil { + return err + } + } + return nil +} + // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -460,6 +488,24 @@ func WriteToTempFile(data []byte, dir *Path, prefix string) (res *Path, err erro return New(f.Name()), nil } +// ReadFileAsString read a file and return its content as a string. +func (p *Path) ReadFileAsString() (string, error) { + content, err := p.ReadFile() + if err != nil { + return "", err + } + return string(content), nil +} + +// MustReadFileAsString read a file and return its content as a string. Panic if an error occurs. +func (p *Path) MustReadFileAsString() string { + content, err := p.ReadFile() + if err != nil { + panic(err) + } + return string(content) +} + // ReadFileAsLines reads the file named by filename and returns it as an // array of lines. This function takes care of the newline encoding // differences between different OS @@ -473,6 +519,33 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return strings.Split(txt, "\n"), nil } +// MustReadFileAsLines read a file and return its content as a slice of string. Panic if an error occurs. +func (p *Path) MustReadFileAsLines() []string { + lines, err := p.ReadFileAsLines() + if err != nil { + panic(err) + } + return lines +} + +// MustReadFilteredFileAsLines read a file and return its content as a slice of string. +// It filter out comments and empty lines. Panic if an error occurs. +func (p *Path) MustReadFilteredFileAsLines() []string { + data, err := p.ReadFile() + if err != nil { + panic(err) + } + txt := string(data) + txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = util.Filter(txt) + res := strings.Split(txt, "\n") + if slices.Contains(res, "") { + idx := slices.Index(res, "") + res = slices.Delete(res, idx, idx+1) + } + return res +} + // Truncate create an empty file named by path or if the file already // exist it truncates it (delete all contents) func (p *Path) Truncate() error { diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go deleted file mode 100644 index 27fde6248..000000000 --- a/pkg/paths/paths_test.go +++ /dev/null @@ -1,432 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "path/filepath" - "runtime" - "strings" - "testing" - - "github.com/stretchr/testify/require" -) - -func pathEqualsTo(t *testing.T, expected string, actual *Path) { - require.Equal(t, expected, filepath.ToSlash(actual.String())) -} - -func TestPathNew(t *testing.T) { - test1 := New("path") - require.Equal(t, "path", test1.String()) - - test2 := New("path", "path") - require.Equal(t, filepath.Join("path", "path"), test2.String()) - - test3 := New() - require.Nil(t, test3) - - test4 := New("") - require.Nil(t, test4) -} - -func TestPath(t *testing.T) { - testPath := New("testdata", "fileset") - pathEqualsTo(t, "testdata/fileset", testPath) - isDir, err := testPath.IsDirCheck() - require.True(t, isDir) - require.NoError(t, err) - require.True(t, testPath.IsDir()) - require.False(t, testPath.IsNotDir()) - exist, err := testPath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, testPath.Exist()) - require.False(t, testPath.NotExist()) - - folderPath := testPath.Join("folder") - pathEqualsTo(t, "testdata/fileset/folder", folderPath) - isDir, err = folderPath.IsDirCheck() - require.True(t, isDir) - require.NoError(t, err) - require.True(t, folderPath.IsDir()) - require.False(t, folderPath.IsNotDir()) - - exist, err = folderPath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, folderPath.Exist()) - require.False(t, folderPath.NotExist()) - - filePath := testPath.Join("file") - pathEqualsTo(t, "testdata/fileset/file", filePath) - isDir, err = filePath.IsDirCheck() - require.False(t, isDir) - require.NoError(t, err) - require.False(t, filePath.IsDir()) - require.True(t, filePath.IsNotDir()) - exist, err = filePath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, filePath.Exist()) - require.False(t, filePath.NotExist()) - - anotherFilePath := filePath.Join("notexistent") - pathEqualsTo(t, "testdata/fileset/file/notexistent", anotherFilePath) - isDir, err = anotherFilePath.IsDirCheck() - require.False(t, isDir) - require.Error(t, err) - require.False(t, anotherFilePath.IsDir()) - require.False(t, anotherFilePath.IsNotDir()) - exist, err = anotherFilePath.ExistCheck() - require.False(t, exist) - require.NoError(t, err) - require.False(t, anotherFilePath.Exist()) - require.True(t, anotherFilePath.NotExist()) - - list, err := folderPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) - - list2 := list.Clone() - list2.FilterDirs() - require.Len(t, list2, 1) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[0]) - - list2 = list.Clone() - list2.FilterOutHiddenFiles() - require.Len(t, list2, 3) - pathEqualsTo(t, "testdata/fileset/folder/file2", list2[0]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list2[1]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[2]) - - list2 = list.Clone() - list2.FilterOutPrefix("file") - require.Len(t, list2, 2) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list2[0]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[1]) -} - -func TestResetStatCacheWhenFollowingSymlink(t *testing.T) { - testdata := New("testdata", "fileset") - files, err := testdata.ReadDir() - require.NoError(t, err) - for _, file := range files { - if file.Base() == "symlinktofolder" { - err = file.FollowSymLink() - require.NoError(t, err) - isDir, err := file.IsDirCheck() - require.NoError(t, err) - require.True(t, isDir) - break - } - } -} - -func TestIsInsideDir(t *testing.T) { - notInside := func(a, b *Path) { - isInside, err := a.IsInsideDir(b) - require.NoError(t, err) - require.False(t, isInside, "%s is inside %s", a, b) - } - - inside := func(a, b *Path) { - isInside, err := a.IsInsideDir(b) - require.NoError(t, err) - require.True(t, isInside, "%s is inside %s", a, b) - notInside(b, a) - } - - f1 := New("/a/b/c") - f2 := New("/a/b/c/d") - f3 := New("/a/b/c/d/e") - - notInside(f1, f1) - notInside(f1, f2) - inside(f2, f1) - notInside(f1, f3) - inside(f3, f1) - - r1 := New("a/b/c") - r2 := New("a/b/c/d") - r3 := New("a/b/c/d/e") - r4 := New("f/../a/b/c/d/e") - r5 := New("a/b/c/d/e/f/..") - - notInside(r1, r1) - notInside(r1, r2) - inside(r2, r1) - notInside(r1, r3) - inside(r3, r1) - inside(r4, r1) - notInside(r1, r4) - inside(r5, r1) - notInside(r1, r5) - - f4 := New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr") - f5 := New("/home/megabug/a15/packages") - notInside(f5, f4) - notInside(f4, f5) - - if runtime.GOOS == "windows" { - f6 := New("C:\\", "A") - f7 := New("C:\\", "A", "B", "C") - f8 := New("E:\\", "A", "B", "C") - inside(f7, f6) - notInside(f8, f6) - } -} - -func TestReadFileAsLines(t *testing.T) { - lines, err := New("testdata/fileset/anotherFile").ReadFileAsLines() - require.NoError(t, err) - require.Len(t, lines, 4) - require.Equal(t, "line 1", lines[0]) - require.Equal(t, "line 2", lines[1]) - require.Equal(t, "", lines[2]) - require.Equal(t, "line 3", lines[3]) -} - -func TestCanonicaTempDir(t *testing.T) { - require.Equal(t, TempDir().String(), TempDir().Canonical().String()) -} - -func TestCopyDir(t *testing.T) { - tmp, err := MkTempDir("", "") - require.NoError(t, err) - defer tmp.RemoveAll() - - src := New("testdata", "fileset") - err = src.CopyDirTo(tmp.Join("dest")) - require.NoError(t, err, "copying dir") - - exist, err := tmp.Join("dest", "folder", "subfolder", "file4").ExistCheck() - require.True(t, exist) - require.NoError(t, err) - - isdir, err := tmp.Join("dest", "folder", "subfolder", "file4").IsDirCheck() - require.False(t, isdir) - require.NoError(t, err) - - err = src.CopyDirTo(tmp.Join("dest")) - require.Error(t, err, "copying dir to already existing") - - err = src.Join("file").CopyDirTo(tmp.Join("dest2")) - require.Error(t, err, "copying file as dir") -} - -func TestParents(t *testing.T) { - parents := New("/a/very/long/path").Parents() - require.Len(t, parents, 5) - pathEqualsTo(t, "/a/very/long/path", parents[0]) - pathEqualsTo(t, "/a/very/long", parents[1]) - pathEqualsTo(t, "/a/very", parents[2]) - pathEqualsTo(t, "/a", parents[3]) - pathEqualsTo(t, "/", parents[4]) - - parents2 := New("a/very/relative/path").Parents() - require.Len(t, parents, 5) - pathEqualsTo(t, "a/very/relative/path", parents2[0]) - pathEqualsTo(t, "a/very/relative", parents2[1]) - pathEqualsTo(t, "a/very", parents2[2]) - pathEqualsTo(t, "a", parents2[3]) - pathEqualsTo(t, ".", parents2[4]) -} - -func TestFilterDirs(t *testing.T) { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 6) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) - - list.FilterDirs() - require.Len(t, list, 2) - pathEqualsTo(t, "testdata/fileset/folder", list[0]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[1]) -} - -func TestFilterOutDirs(t *testing.T) { - { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 6) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) - - list.FilterOutDirs() - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[2]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[3]) - } - - { - list, err := New("testdata", "broken_symlink", "dir_1").ReadDirRecursive() - require.NoError(t, err) - - require.Len(t, list, 7) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir", list[2]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[3]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[4]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir", list[5]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[6]) - - list.FilterOutDirs() - require.Len(t, list, 5) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[2]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[3]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[4]) - } -} - -func TestEquivalentPaths(t *testing.T) { - wd, err := Getwd() - require.NoError(t, err) - require.True(t, New("file1").EquivalentTo(New("file1", "somethingelse", ".."))) - require.True(t, New("file1", "abc").EquivalentTo(New("file1", "abc", "def", ".."))) - require.True(t, wd.Join("file1").EquivalentTo(New("file1"))) - require.True(t, wd.Join("file1").EquivalentTo(New("file1", "abc", ".."))) - - if runtime.GOOS == "windows" { - q := New("testdata", "fileset", "anotherFile") - r := New("testdata", "fileset", "ANOTHE~1") - require.True(t, q.EquivalentTo(r)) - require.True(t, r.EquivalentTo(q)) - } -} - -func TestCanonicalize(t *testing.T) { - wd, err := Getwd() - require.NoError(t, err) - - p := New("testdata", "fileset", "anotherFile").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), p.String()) - - p = New("testdata", "fileset", "nonexistentFile").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "nonexistentFile").String(), p.String()) - - if runtime.GOOS == "windows" { - q := New("testdata", "fileset", "ANOTHE~1").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), q.String()) - - r := New("c:\\").Canonical() - require.Equal(t, "C:\\", r.String()) - - tmp, err := MkTempDir("", "pref") - require.NoError(t, err) - require.Equal(t, tmp.String(), tmp.Canonical().String()) - } -} - -func TestRelativeTo(t *testing.T) { - res, err := New("/my/abs/path/123/456").RelTo(New("/my/abs/path")) - require.NoError(t, err) - pathEqualsTo(t, "../..", res) - - res, err = New("/my/abs/path").RelTo(New("/my/abs/path/123/456")) - require.NoError(t, err) - pathEqualsTo(t, "123/456", res) - - res, err = New("my/path").RelTo(New("/other/path")) - require.Error(t, err) - require.Nil(t, res) - - res, err = New("/my/abs/path/123/456").RelFrom(New("/my/abs/path")) - pathEqualsTo(t, "123/456", res) - require.NoError(t, err) - - res, err = New("/my/abs/path").RelFrom(New("/my/abs/path/123/456")) - require.NoError(t, err) - pathEqualsTo(t, "../..", res) - - res, err = New("my/path").RelFrom(New("/other/path")) - require.Error(t, err) - require.Nil(t, res) -} - -func TestWriteToTempFile(t *testing.T) { - tmpDir := New("testdata", "fileset", "tmp") - err := tmpDir.MkdirAll() - require.NoError(t, err) - defer tmpDir.RemoveAll() - - tmpData := []byte("test") - tmp, err := WriteToTempFile(tmpData, tmpDir, "prefix") - defer tmp.Remove() - require.NoError(t, err) - require.True(t, strings.HasPrefix(tmp.Base(), "prefix")) - isInside, err := tmp.IsInsideDir(tmpDir) - require.NoError(t, err) - require.True(t, isInside) - data, err := tmp.ReadFile() - require.NoError(t, err) - require.Equal(t, tmpData, data) -} - -func TestCopyToSamePath(t *testing.T) { - tmpDir := New(t.TempDir()) - srcFile := tmpDir.Join("test_file") - dstFile := srcFile - - // create the source file in tmp dir - err := srcFile.WriteFile([]byte("hello")) - require.NoError(t, err) - content, err := srcFile.ReadFile() - require.NoError(t, err) - require.Equal(t, []byte("hello"), content) - - // cannot copy the same file - err = srcFile.CopyTo(dstFile) - require.Error(t, err) - require.Contains(t, err.Error(), "are the same file") -} diff --git a/pkg/paths/process.go b/pkg/paths/process.go index 4c8692866..ebfe71343 100644 --- a/pkg/paths/process.go +++ b/pkg/paths/process.go @@ -55,7 +55,8 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) { cmd: exec.Command(args[0], args[1:]...), } p.cmd.Env = append(os.Environ(), extraEnv...) - p.TellCommandNotToSpawnShell() + tellCommandNotToSpawnShell(p.cmd) // windows specific + tellCommandToStartOnNewProcessGroup(p.cmd) // linux specific // This is required because some tools detects if the program is running // from terminal by looking at the stdin/out bindings. @@ -146,7 +147,7 @@ func (p *Process) Signal(sig os.Signal) error { // actually exited. This only kills the Process itself, not any other processes it may // have started. func (p *Process) Kill() error { - return p.cmd.Process.Kill() + return kill(p.cmd) } // SetDir sets the working directory of the command. If Dir is the empty string, Run diff --git a/pkg/paths/process_others.go b/pkg/paths/process_linux.go similarity index 69% rename from pkg/paths/process_others.go rename to pkg/paths/process_linux.go index 39bd3e161..5735a85c3 100644 --- a/pkg/paths/process_others.go +++ b/pkg/paths/process_linux.go @@ -31,8 +31,34 @@ package paths -import "os/exec" +import ( + "os/exec" + "syscall" +) func tellCommandNotToSpawnShell(_ *exec.Cmd) { // no op } + +func tellCommandToStartOnNewProcessGroup(oscmd *exec.Cmd) { + // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 + + // Start the process in a new process group. + // This is needed to kill the process and its children + // if we need to kill the process. + if oscmd.SysProcAttr == nil { + oscmd.SysProcAttr = &syscall.SysProcAttr{} + } + oscmd.SysProcAttr.Setpgid = true +} + +func kill(oscmd *exec.Cmd) error { + // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 + + // Kill the process group + pgid, err := syscall.Getpgid(oscmd.Process.Pid) + if err != nil { + return err + } + return syscall.Kill(-pgid, syscall.SIGKILL) +} diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go deleted file mode 100644 index 5346dda02..000000000 --- a/pkg/paths/process_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// -// This file is part of PathsHelper library. -// -// Copyright 2023 Arduino AG (http://www.arduino.cc/) -// -// PathsHelper library is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; either version 2 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program; if not, write to the Free Software -// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -// -// As a special exception, you may use this file as part of a free software -// library without restriction. Specifically, if other files instantiate -// templates or use macros or inline functions from this file, or you compile -// this file and link it with other files to produce an executable, this -// file does not by itself cause the resulting executable to be covered by -// the GNU General Public License. This exception does not however -// invalidate any other reasons why the executable file might be covered by -// the GNU General Public License. -// - -package paths - -import ( - "context" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -func TestProcessWithinContext(t *testing.T) { - // Build `delay` helper inside testdata/delay - builder, err := NewProcess(nil, "go", "build") - require.NoError(t, err) - builder.SetDir("testdata/delay") - require.NoError(t, builder.Run()) - - // Run delay and test if the process is terminated correctly due to context - process, err := NewProcess(nil, "testdata/delay/delay") - require.NoError(t, err) - start := time.Now() - ctx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond) - err = process.RunWithinContext(ctx) - require.Error(t, err) - require.Less(t, time.Since(start), 500*time.Millisecond) - cancel() -} diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go deleted file mode 100644 index ae25ede97..000000000 --- a/pkg/paths/readdir_test.go +++ /dev/null @@ -1,343 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018-2022 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "fmt" - "io/fs" - "os" - "runtime" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -func TestReadDirRecursive(t *testing.T) { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDirRecursive() - require.NoError(t, err) - require.Len(t, list, 16) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[4]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[5]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[6]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", list[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", list[9]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", list[10]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", list[11]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", list[12]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", list[13]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[14]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[15]) -} - -func TestReadDirRecursiveSymLinkLoop(t *testing.T) { - // Test symlink loop - tmp, err := MkTempDir("", "") - require.NoError(t, err) - defer tmp.RemoveAll() - - folder := tmp.Join("folder") - err = os.Symlink(tmp.String(), folder.String()) - require.NoError(t, err) - - l, err := tmp.ReadDirRecursive() - require.Error(t, err) - fmt.Println(err) - require.Nil(t, l) - - l, err = tmp.ReadDirRecursiveFiltered(nil) - require.Error(t, err) - fmt.Println(err) - require.Nil(t, l) -} - -func TestReadDirFiltered(t *testing.T) { - folderPath := New("testdata/fileset/folder") - list, err := folderPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) - - list, err = folderPath.ReadDir(FilterDirectories()) - require.NoError(t, err) - require.Len(t, list, 1) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[0]) - - list, err = folderPath.ReadDir(FilterOutPrefixes("file")) - require.NoError(t, err) - require.Len(t, list, 2) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[1]) -} - -func TestReadDirRecursiveFiltered(t *testing.T) { - testdata := New("testdata", "fileset") - l, err := testdata.ReadDirRecursiveFiltered(nil) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 16) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/file3", l[5]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[9]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[10]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[11]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[12]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[13]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[14]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[15]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 6) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) // <- this is listed but not traversed - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) // <- this is listed but not traversed - pathEqualsTo(t, "testdata/fileset/test.txt", l[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[5]) - - l, err = testdata.ReadDirRecursiveFiltered(nil, FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 12) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file3", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[9]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories(), FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 4) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[2]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[3]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), FilterOutSuffixes("3")) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 12) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[5]) // <- subfolder skipped by Prefix("sub") - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[9]) // <- subfolder skipped by Prefix("sub") - pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 9) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/folder", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"), FilterOutSuffixes(".gz"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 8) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/folder", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - - l, err = testdata.ReadDirRecursiveFiltered(OrFilter(FilterPrefixes("sub"), FilterSuffixes("tofolder"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 11) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[8]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[9]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[10]) - - l, err = testdata.ReadDirRecursiveFiltered(nil, FilterNames("folder")) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 1) - pathEqualsTo(t, "testdata/fileset/folder", l[0]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterNames("symlinktofolder"), FilterOutNames(".hidden")) - require.NoError(t, err) - require.Len(t, l, 9) - l.Sort() - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) -} - -func TestReadDirRecursiveLoopDetection(t *testing.T) { - loopsPath := New("testdata", "loops") - unbuondedReaddir := func(testdir string) (PathList, error) { - var files PathList - var err error - done := make(chan bool) - go func() { - files, err = loopsPath.Join(testdir).ReadDirRecursive() - done <- true - }() - require.Eventually( - t, - func() bool { - select { - case <-done: - return true - default: - return false - } - }, - 5*time.Second, - 10*time.Millisecond, - "Infinite symlink loop while loading sketch", - ) - return files, err - } - - for _, dir := range []string{"loop_1", "loop_2", "loop_3", "loop_4"} { - l, err := unbuondedReaddir(dir) - require.EqualError(t, err, "directories symlink loop detected", "loop not detected in %s", dir) - require.Nil(t, l) - } - - { - l, err := unbuondedReaddir("regular_1") - require.NoError(t, err) - require.Len(t, l, 4) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_1/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_1/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_1/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_1/dir2/file1", l[3]) - } - - { - l, err := unbuondedReaddir("regular_2") - require.NoError(t, err) - require.Len(t, l, 6) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_2/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_2/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1", l[3]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1/file1", l[4]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/file2", l[5]) - } - - { - l, err := unbuondedReaddir("regular_3") - require.NoError(t, err) - require.Len(t, l, 7) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_3/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_3/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1", l[3]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1/file1", l[4]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/file2", l[5]) - pathEqualsTo(t, "testdata/loops/regular_3/link", l[6]) // broken symlink is reported in files - } - - if runtime.GOOS != "windows" { - dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") - - l, err := unbuondedReaddir("regular_4_with_permission_error") - require.NoError(t, err) - require.NotEmpty(t, l) - - dir1Stat, err := dir1.Stat() - require.NoError(t, err) - err = dir1.Chmod(fs.FileMode(0)) // Enforce permission error - require.NoError(t, err) - t.Cleanup(func() { - // Restore normal permission after the test - dir1.Chmod(dir1Stat.Mode()) - }) - - l, err = unbuondedReaddir("regular_4_with_permission_error") - require.Error(t, err) - require.Nil(t, l) - } -} diff --git a/pkg/paths/testdata/broken_symlink/dir_1/broken_link b/pkg/paths/testdata/broken_symlink/dir_1/broken_link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/broken_link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/file2 b/pkg/paths/testdata/broken_symlink/dir_1/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir b/pkg/paths/testdata/broken_symlink/dir_1/linked_dir deleted file mode 120000 index 4b019049f..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir +++ /dev/null @@ -1 +0,0 @@ -real_dir \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_file b/pkg/paths/testdata/broken_symlink/dir_1/linked_file deleted file mode 120000 index 30d67d467..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/linked_file +++ /dev/null @@ -1 +0,0 @@ -file2 \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 b/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/delay/.gitignore b/pkg/paths/testdata/delay/.gitignore deleted file mode 100644 index fd5812a40..000000000 --- a/pkg/paths/testdata/delay/.gitignore +++ /dev/null @@ -1 +0,0 @@ -delay* diff --git a/pkg/paths/testdata/delay/main.go b/pkg/paths/testdata/delay/main.go deleted file mode 100644 index fa6030c40..000000000 --- a/pkg/paths/testdata/delay/main.go +++ /dev/null @@ -1,40 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2023 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package main - -import ( - "fmt" - "time" -) - -func main() { - time.Sleep(3 * time.Second) - fmt.Println("Elapsed!") -} diff --git a/pkg/paths/testdata/fileset/anotherFile b/pkg/paths/testdata/fileset/anotherFile deleted file mode 100644 index 27649646e..000000000 --- a/pkg/paths/testdata/fileset/anotherFile +++ /dev/null @@ -1,4 +0,0 @@ -line 1 -line 2 - -line 3 \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/file b/pkg/paths/testdata/fileset/file deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/.hidden b/pkg/paths/testdata/fileset/folder/.hidden deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/file2 b/pkg/paths/testdata/fileset/folder/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/file3 b/pkg/paths/testdata/fileset/folder/file3 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/subfolder/file4 b/pkg/paths/testdata/fileset/folder/subfolder/file4 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/symlinktofolder b/pkg/paths/testdata/fileset/symlinktofolder deleted file mode 120000 index 01196353b..000000000 --- a/pkg/paths/testdata/fileset/symlinktofolder +++ /dev/null @@ -1 +0,0 @@ -folder \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/test.txt b/pkg/paths/testdata/fileset/test.txt deleted file mode 100644 index d3ded994d..000000000 --- a/pkg/paths/testdata/fileset/test.txt +++ /dev/null @@ -1,20 +0,0 @@ -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - diff --git a/pkg/paths/testdata/fileset/test.txt.gz b/pkg/paths/testdata/fileset/test.txt.gz deleted file mode 100644 index e75120aef..000000000 Binary files a/pkg/paths/testdata/fileset/test.txt.gz and /dev/null differ diff --git a/pkg/paths/testdata/loops/loop_1/dir1/loop b/pkg/paths/testdata/loops/loop_1/dir1/loop deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/loop_1/dir1/loop +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir1/loop2 b/pkg/paths/testdata/loops/loop_2/dir1/loop2 deleted file mode 120000 index d014eb492..000000000 --- a/pkg/paths/testdata/loops/loop_2/dir1/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir2/loop1 b/pkg/paths/testdata/loops/loop_2/dir2/loop1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/loop_2/dir2/loop1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir1/loop2 b/pkg/paths/testdata/loops/loop_3/dir1/loop2 deleted file mode 120000 index d014eb492..000000000 --- a/pkg/paths/testdata/loops/loop_3/dir1/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 b/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 deleted file mode 120000 index 85babfdb0..000000000 --- a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 +++ /dev/null @@ -1 +0,0 @@ -../../dir1/ \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 b/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 deleted file mode 120000 index 3fd50ca46..000000000 --- a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir3 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 b/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 deleted file mode 120000 index 4f388a669..000000000 --- a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 +++ /dev/null @@ -1 +0,0 @@ -../../../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_1/dir1/file1 b/pkg/paths/testdata/loops/regular_1/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_1/dir2 b/pkg/paths/testdata/loops/regular_1/dir2 deleted file mode 120000 index df490f837..000000000 --- a/pkg/paths/testdata/loops/regular_1/dir2 +++ /dev/null @@ -1 +0,0 @@ -dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir1/file1 b/pkg/paths/testdata/loops/regular_2/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_2/dir2/dir1 b/pkg/paths/testdata/loops/regular_2/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_2/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir2/file2 b/pkg/paths/testdata/loops/regular_2/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/dir1/file1 b/pkg/paths/testdata/loops/regular_3/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/dir2/dir1 b/pkg/paths/testdata/loops/regular_3/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_3/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_3/dir2/file2 b/pkg/paths/testdata/loops/regular_3/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/link b/pkg/paths/testdata/loops/regular_3/link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/loops/regular_3/link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/link b/pkg/paths/testdata/loops/regular_4_with_permission_error/link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/loops/regular_4_with_permission_error/link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 72b3943d3..818edbb76 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -5,25 +5,25 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) var ( - regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 - `abi/3.0`, `abi/4.0`, - `# userns,`, `userns,`, - `# mqueue`, `mqueue`, + regAbi4To3 = util.ToRegexRepl([]string{ + `abi/4.0`, `abi/3.0`, + ` userns,`, ` # userns,`, + ` mqueue`, ` # mqueue`, }) ) type ABI3 struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&ABI3{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "abi3", Msg: "Convert all profiles from abi 4.0 to abi 3.0", }, diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go new file mode 100644 index 000000000..6fd700291 --- /dev/null +++ b/pkg/prebuild/builder/attach.go @@ -0,0 +1,65 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "regexp" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + regProfile = regexp.MustCompile(`profile ([^ ]+)`) +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Re-attach disconnect path", + }, + }) +} + +// Apply will re-attach the disconnected path +// - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag +// - Add the attached/base abstraction in the profile +// - For compatibility, non disconnected profile will have the @{att} variable set to / +func (b ReAttach) Apply(opt *Option, profile string) (string, error) { + var insert string + var origin = "profile " + opt.Name + + if strings.Contains(profile, "attach_disconnected") { + insert = "@{att} = /att/" + opt.Name + "/\n" + profile = strings.Replace(profile, + "attach_disconnected", + "attach_disconnected,attach_disconnected.path=@{att}", -1, + ) + + old := "include if exists " + new := "include \n " + old + profile = strings.Replace(profile, old, new, 1) + + for _, match := range regProfile.FindAllStringSubmatch(profile, -1) { + name := match[1] + if name == opt.Name { + continue + } + old = "include if exists " + new = "include \n " + old + profile = strings.Replace(profile, old, new, 1) + } + + } else { + insert = "@{att} = /\n" + } + + return strings.Replace(profile, origin, insert+origin, 1), nil +} diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index e0f9f26b5..dbd9b3478 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -9,21 +9,21 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {`) + regProfileHeader = regexp.MustCompile(` {\n`) ) type Complain struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Complain{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "complain", Msg: "Set complain flag on all profiles", }, @@ -40,7 +40,7 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { } } flags = append(flags, "complain") - strFlags := " flags=(" + strings.Join(flags, ",") + ") {" + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" // Remove all flags definition, then set manifest' flags profile = regFlags.ReplaceAllLiteralString(profile, "") diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index 64046721f..b45075e15 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -8,7 +8,7 @@ import ( "fmt" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -21,7 +21,7 @@ var ( // Main directive interface type Builder interface { - cfg.BaseInterface + prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 597832b91..5a1a39da0 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -8,7 +8,7 @@ import ( "slices" "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestBuilder_Apply(t *testing.T) { @@ -23,17 +23,17 @@ func TestBuilder_Apply(t *testing.T) { name: "abi3", b: Builders["abi3"], profile: ` - abi , - profile test { - # userns, - # mqueue r type=posix /, - }`, - want: ` abi , profile test { userns, mqueue r type=posix /, }`, + want: ` + abi , + profile test { + # userns, + # mqueue r type=posix /, + }`, }, { name: "complain-1", @@ -234,7 +234,7 @@ func TestBuilder_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: cfg.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/dev.go b/pkg/prebuild/builder/dev.go deleted file mode 100644 index f8ebdff02..000000000 --- a/pkg/prebuild/builder/dev.go +++ /dev/null @@ -1,36 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -var ( - regDev = util.ToRegexRepl([]string{ - `Cx`, `cx`, - `PUx`, `pux`, - `Px`, `px`, - `Ux`, `ux`, - }) -) - -type Dev struct { - cfg.Base -} - -func init() { - RegisterBuilder(&Dev{ - Base: cfg.Base{ - Keyword: "dev", - Msg: "Apply test development changes", - }, - }) -} - -func (b Dev) Apply(opt *Option, profile string) (string, error) { - return regDev.Replace(profile), nil -} diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index bc25e03dc..a7ce90a7a 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -8,16 +8,16 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Enforce struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Enforce{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "enforce", Msg: "All profiles have been enforced", }, @@ -36,9 +36,9 @@ func (b Enforce) Apply(opt *Option, profile string) (string, error) { return profile, nil } flags = slices.Delete(flags, idx, idx+1) - strFlags := "{" + strFlags := "{\n" if len(flags) >= 1 { - strFlags = " flags=(" + strings.Join(flags, ",") + ") {" + strFlags = " flags=(" + strings.Join(flags, ",") + ") {\n" } // Remove all flags definition, then set new flags diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 003f79525..ed2285de5 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -5,7 +5,7 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -16,12 +16,12 @@ var ( ) type FullSystemPolicy struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&FullSystemPolicy{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "fsp", Msg: "Prevent unconfined transitions in profile rules", }, diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go new file mode 100644 index 000000000..f7e6143b1 --- /dev/null +++ b/pkg/prebuild/builder/hotfix.go @@ -0,0 +1,36 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + regHotfix = util.ToRegexRepl([]string{ + `Cx`, `cx`, + `PUx`, `pux`, + `Px`, `px`, + `Ux`, `ux`, + }) +) + +type Hotfix struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&Hotfix{ + Base: prebuild.Base{ + Keyword: "hotfix", + Msg: "Temporary fix for #74, #80 & #235", + }, + }) +} + +func (b Hotfix) Apply(opt *Option, profile string) (string, error) { + return regHotfix.Replace(profile), nil +} diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 8a7df0bc9..d62cad522 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) const tokATTACHMENT = "@{exec_path}" @@ -20,23 +20,23 @@ var ( ) type Userspace struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Userspace{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "userspace", - Msg: "Bypass userspace tools restriction", + Msg: "Resolve variable in profile attachments", }, }) } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { return profile, nil } - if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { return profile, nil } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go new file mode 100644 index 000000000..2821d52c2 --- /dev/null +++ b/pkg/prebuild/cli/cli.go @@ -0,0 +1,175 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package cli + +import ( + "flag" + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" +) + +const ( + nilABI uint = 0 + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -f, --full Set AppArmor for full system policy. + -F, --file Only prebuild a given file. +` +) + +var ( + help bool + complain bool + enforce bool + full bool + abi uint + file string +) + +func init() { + flag.BoolVar(&help, "h", false, "Show this help message and exit.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") + flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") + flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") + flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") + flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") + flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.") + flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.") + flag.StringVar(&file, "F", "", "Only prebuild a given file.") + flag.StringVar(&file, "file", "", "Only prebuild a given file.") +} + +func Prebuild() { + flag.Usage = func() { + fmt.Printf("%s\n%s\n%s\n%s", usage, + prebuild.Help("Prepare", prepare.Tasks), + prebuild.Help("Build", builder.Builders), + directive.Usage(), + ) + } + flag.Parse() + if help { + flag.Usage() + return + } + + if full && paths.New("apparmor.d/groups/_full").Exist() { + prepare.Register("fsp") + builder.Register("fsp") + } else if prebuild.SystemdDir.Exist() { + prepare.Register("systemd-early") + } + + if complain { + builder.Register("complain") + } else if enforce { + builder.Register("enforce") + } + + if abi != nilABI { + prebuild.ABI = abi + } + switch prebuild.ABI { + case 3: + builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + case 4: + // builder.Register("attach") // Re-attach disconnect path + default: + logging.Fatal("Invalid ABI version: %d", prebuild.ABI) + } + + if file != "" { + sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) + sync.Path = file + overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) + overwrite.OneFile = true + } + + logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if err := Prepare(); err != nil { + logging.Fatal("%s", err.Error()) + } + if err := Build(); err != nil { + logging.Fatal("%s", err.Error()) + } +} + +func Prepare() error { + for _, task := range prepare.Prepares { + msg, err := task.Apply() + if err != nil { + return err + } + if file != "" && task.Name() == "setflags" { + continue + } + logging.Success("%s", task.Message()) + logging.Indent = " " + for _, line := range msg { + if strings.Contains(line, "not found") { + logging.Warning("%s", line) + } else { + logging.Bullet("%s", line) + } + } + logging.Indent = "" + } + return nil +} + +func Build() error { + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = builder.Run(file, profile) + if err != nil { + return err + } + profile, err = directive.Run(file, profile) + if err != nil { + return err + } + if err := file.WriteFile([]byte(profile)); err != nil { + return err + } + } + + logging.Success("Build tasks:") + logging.Indent = " " + for _, task := range builder.Builds { + logging.Bullet("%s", task.Message()) + } + logging.Indent = "" + logging.Success("Directives processed:") + logging.Indent = " " + for _, dir := range directive.Directives { + logging.Bullet("%s%s", directive.Keyword, dir.Name()) + } + logging.Indent = "" + return nil +} diff --git a/pkg/prebuild/prebuild_test.go b/pkg/prebuild/cli/cli_test.go similarity index 78% rename from pkg/prebuild/prebuild_test.go rename to pkg/prebuild/cli/cli_test.go index db709c315..dab310020 100644 --- a/pkg/prebuild/prebuild_test.go +++ b/pkg/prebuild/cli/cli_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cli import ( "os" @@ -10,15 +10,15 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func setTestBuildDirectories(name string) { testRoot := paths.New("/tmp/tests") - cfg.Root = testRoot.Join(name) - cfg.RootApparmord = cfg.Root.Join("apparmor.d") + prebuild.Root = testRoot.Join(name) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") } func chdirGitRoot() { @@ -33,7 +33,7 @@ func chdirGitRoot() { } } -func Test_PreBuild(t *testing.T) { +func Test_Prebuild(t *testing.T) { tests := []struct { name string wantErr bool @@ -78,18 +78,27 @@ func Test_PreBuild(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - setTestBuildDirectories(tt.name) - cfg.Distribution = tt.dist - if tt.full { + setTestBuildDirectories(tt.dist) + prebuild.Distribution = tt.dist + prepare.Prepares = []prepare.Task{} + prepare.Register( + "synchronise", "ignore", "merge", + "configure", "setflags", "systemd-default", + ) + + if full { prepare.Register("fsp") builder.Register("fsp") + } else { + prepare.Register("systemd-early") } - if tt.complain { + + if complain { builder.Register("complain") - } - if tt.enforce { + } else if enforce { builder.Register("enforce") } + if err := Prepare(); (err != nil) != tt.wantErr { t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr) } diff --git a/pkg/prebuild/cfg/core.go b/pkg/prebuild/core.go similarity index 69% rename from pkg/prebuild/cfg/core.go rename to pkg/prebuild/core.go index 692f130ad..8c2410d10 100644 --- a/pkg/prebuild/cfg/core.go +++ b/pkg/prebuild/core.go @@ -2,27 +2,27 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import "fmt" type BaseInterface interface { Message() string Name() string - Usage() string + Usage() []string } type Base struct { Msg string Keyword string - Help string + Help []string } func (b Base) Name() string { return b.Keyword } -func (b Base) Usage() string { +func (b Base) Usage() []string { return b.Help } @@ -37,11 +37,3 @@ func Help[T BaseInterface](name string, tasks map[string]T) string { } return res } - -func Usage[T BaseInterface](name string, tasks map[string]T) string { - res := fmt.Sprintf("%s\n", name) - for _, t := range tasks { - res += fmt.Sprintf(" %s\n", t.Usage()) - } - return res -} diff --git a/pkg/prebuild/cfg/core_test.go b/pkg/prebuild/core_test.go similarity index 75% rename from pkg/prebuild/cfg/core_test.go rename to pkg/prebuild/core_test.go index ff76f9466..5abf0a9c1 100644 --- a/pkg/prebuild/cfg/core_test.go +++ b/pkg/prebuild/core_test.go @@ -2,9 +2,10 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( + "slices" "strings" "testing" ) @@ -17,7 +18,7 @@ func TestBase_Helpers(t *testing.T) { }{ { name: "base", - b: Base{Keyword: "test", Help: "test", Msg: "test"}, + b: Base{Keyword: "test", Help: []string{"test"}, Msg: "test"}, want: "test", }, } @@ -26,7 +27,7 @@ func TestBase_Helpers(t *testing.T) { if got := tt.b.Name(); got != tt.want { t.Errorf("Base.Name() = %v, want %v", got, tt.want) } - if got := tt.b.Usage(); got != tt.want { + if got := tt.b.Usage(); !slices.Equal(got, []string{tt.want}) { t.Errorf("Base.Usage() = %v, want %v", got, tt.want) } if got := tt.b.Message(); got != tt.want { @@ -45,8 +46,8 @@ func TestHelp(t *testing.T) { { name: "one", tasks: map[string]Base{ - "one": {Keyword: "one", Help: "one", Msg: "one"}, - "two": {Keyword: "two", Help: "two", Msg: "two"}, + "one": {Keyword: "one", Help: []string{"one"}, Msg: "one"}, + "two": {Keyword: "two", Help: []string{"two"}, Msg: "two"}, }, want: `one`, }, @@ -56,9 +57,6 @@ func TestHelp(t *testing.T) { if got := Help(tt.name, tt.tasks); !strings.Contains(got, tt.want) { t.Errorf("Help() = %v, want %v", got, tt.want) } - if got := Usage(tt.name, tt.tasks); !strings.Contains(got, tt.want) { - t.Errorf("Usage() = %v, want %v", got, tt.want) - } }) } } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index d14dd4861..aadf9294e 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -20,15 +20,25 @@ var ( // Build the profiles with the following directive applied Directives = map[string]Directive{} - regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*) (.*)`) + regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) // Main directive interface type Directive interface { - cfg.BaseInterface + prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } +func Usage() string { + res := "Directive:\n" + for _, d := range Directives { + for _, h := range d.Usage() { + res += fmt.Sprintf(" %s%s %s\n", Keyword, d.Name(), h) + } + } + return res +} + // Directive options type Option struct { Name string @@ -61,11 +71,29 @@ func NewOption(file *paths.Path, match []string) *Option { } } -// Clean the selected directive from profile. +// Clean removes selected directive line from input string. // Useful to remove directive text applied on some condition only -func (o *Option) Clean(profile string) string { - reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) - return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1) +func (o *Option) Clean(input string) string { + return strings.Replace(input, o.Raw, o.cleanKeyword(o.Raw), 1) +} + +// cleanKeyword removes the dirextive keywork (#aa:...) from the input string +func (o *Option) cleanKeyword(input string) string { + reg := regexp.MustCompile(`\s*` + Keyword + o.Name + `( .*)?$`) + return reg.ReplaceAllString(input, "") +} + +// Check if the directive is inline or if it is a paragraph +func (o *Option) IsInline() bool { + inline := true + tmp := strings.Split(o.Raw, Keyword) + if len(tmp) >= 1 { + left := strings.TrimSpace(tmp[0]) + if len(left) == 0 { + inline = false + } + } + return inline } func RegisterDirective(d Directive) { diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index dc7ac16d3..a1135d675 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -18,7 +18,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var defaultInterfaces = []string{ @@ -27,18 +27,20 @@ var defaultInterfaces = []string{ } type Dbus struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Dbus{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "dbus", Msg: "Dbus directive applied", - Help: `#aa:dbus own bus= name= [interface=AARE] [path=AARE] - #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE]`, - }, - }) + Help: []string{ + "own bus= name= [interface=AARE] [path=AARE]", + "talk bus= name= label= [interface=AARE] [path=AARE]", + }, + }}, + ) } func setInterfaces(rules map[string]string) []string { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index dd0d2ed0e..5aee73740 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -7,29 +7,32 @@ package directive import ( + "fmt" "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Exec struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Exec{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "exec", Msg: "Exec directive applied", - Help: Keyword + `exec [P|U|p|u|PU|pu|] profiles...`, + Help: []string{"[P|U|p|u|PU|pu|] profiles..."}, }, }) } func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { + if len(opt.ArgList) == 0 { + return "", fmt.Errorf("No profile to exec") + } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} t := opt.ArgList[0] @@ -40,7 +43,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules := aa.Rules{} for name := range opt.ArgMap { - profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name)) + profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString() dstProfile := aa.DefaultTunables() if _, err := dstProfile.Parse(profiletoTransition); err != nil { return "", err diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index c6d4e32a7..5581d7f2b 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestExec_Apply(t *testing.T) { @@ -51,7 +51,7 @@ func TestExec_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.RootApparmord = tt.rootApparmord + prebuild.RootApparmord = tt.rootApparmord got, err := Directives["exec"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Exec.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index 1c90fa760..2fe46e6f2 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -5,40 +5,45 @@ package directive import ( + "fmt" "regexp" "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type FilterOnly struct { - cfg.Base + prebuild.Base } type FilterExclude struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&FilterOnly{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "only", Msg: "Only directive applied", - Help: Keyword + `only filters...`, + Help: []string{"filters..."}, }, }) RegisterDirective(&FilterExclude{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "exclude", Msg: "Exclude directive applied", - Help: Keyword + `exclude filters...`, + Help: []string{"filters..."}, }, }) } func filterRuleForUs(opt *Option) bool { - return slices.Contains(opt.ArgList, cfg.Distribution) || slices.Contains(opt.ArgList, cfg.Family) + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) + if slices.Contains(opt.ArgList, abiStr) { + return true + } + return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) } func filter(only bool, opt *Option, profile string) (string, error) { @@ -49,16 +54,7 @@ func filter(only bool, opt *Option, profile string) (string, error) { return opt.Clean(profile), nil } - inline := true - tmp := strings.Split(opt.Raw, Keyword) - if len(tmp) >= 1 { - left := strings.TrimSpace(tmp[0]) - if len(left) == 0 { - inline = false - } - } - - if inline { + if opt.IsInline() { profile = strings.Replace(profile, opt.Raw, "", -1) } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index 465ba50a5..ebbd5ef5c 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -7,7 +7,7 @@ package directive import ( "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestFilterOnly_Apply(t *testing.T) { @@ -78,8 +78,8 @@ func TestFilterOnly_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - cfg.Family = tt.family + prebuild.Distribution = tt.dist + prebuild.Family = tt.family got, err := Directives["only"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) @@ -133,8 +133,8 @@ func TestFilterExclude_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - cfg.Family = tt.family + prebuild.Distribution = tt.dist + prebuild.Family = tt.family got, err := Directives["exclude"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterExclude.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index e0ab9d84e..03dd826e1 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -7,9 +7,10 @@ package directive import ( "fmt" "regexp" + "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -19,29 +20,42 @@ var ( regCleanStakedRules = util.ToRegexRepl([]string{ `(?m)^.*include .*$`, ``, // Remove mandatory base abstraction `(?m)^.*@{exec_path}.*$`, ``, // Remove entry point - `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove transition rules `(?m)^(?:[\t ]*(?:\r?\n))+`, ``, // Remove empty lines }) ) type Stack struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Stack{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "stack", Msg: "Stack directive applied", - Help: Keyword + `stack profiles...`, + Help: []string{"[X] profiles..."}, }, }) } func (s Stack) Apply(opt *Option, profile string) (string, error) { + if len(opt.ArgList) == 0 { + return "", fmt.Errorf("No profile to stack") + } + t := opt.ArgList[0] + if t != "X" { + regCleanStakedRules = slices.Insert(regCleanStakedRules, 0, + util.ToRegexRepl([]string{ + `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove X transition rules + })..., + ) + } else { + delete(opt.ArgMap, t) + } + res := "" for name := range opt.ArgMap { - stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name)) + stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("No profile found in %s", name) diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/prebuild/directive/stack_test.go index ef603aae6..8f99d6f7a 100644 --- a/pkg/prebuild/directive/stack_test.go +++ b/pkg/prebuild/directive/stack_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestStack_Apply(t *testing.T) { @@ -68,7 +68,7 @@ profile parent @{exec_path} { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.RootApparmord = tt.rootApparmord + prebuild.RootApparmord = tt.rootApparmord got, err := Directives["stack"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Stack.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/directories.go similarity index 76% rename from pkg/prebuild/cfg/directories.go rename to pkg/prebuild/directories.go index 282aa1ad8..cd5958b72 100644 --- a/pkg/prebuild/cfg/directories.go +++ b/pkg/prebuild/directories.go @@ -2,15 +2,18 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import "github.com/roddhjav/apparmor.d/pkg/paths" var ( - // Root is the root directory for the build + // AppArmor ABI version + ABI uint = 0 + + // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") - // RootApparmord is the final built apparmor.d directory + // RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d) RootApparmord *paths.Path = Root.Join("apparmor.d") // DistDir is the directory where the distribution specific files are stored @@ -28,11 +31,6 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") - // AppArmor 4.0 contains several profiles that allow userns and are otherwise - // unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d - // counterpart - Overwrite Overwriter = false - // DebianHide is the path to the debian/apparmor.d.hide file DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/files.go similarity index 58% rename from pkg/prebuild/cfg/files.go rename to pkg/prebuild/files.go index 6f81d25bc..c14730960 100644 --- a/pkg/prebuild/cfg/files.go +++ b/pkg/prebuild/files.go @@ -2,15 +2,12 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( - "fmt" - "os" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) // Default content of debian/apparmor.d.hide. Whonix has special addition. @@ -31,7 +28,7 @@ func (f Flagger) Read(name string) map[string][]string { return res } - lines := util.MustReadFileAsLines(path) + lines := path.MustReadFilteredFileAsLines() for _, line := range lines { manifest := strings.Split(line, " ") profile := manifest[0] @@ -51,38 +48,7 @@ func (i Ignorer) Read(name string) []string { if !path.Exist() { return []string{} } - return util.MustReadFileAsLines(path) -} - -type Overwriter bool - -// Overwrite upstream profile: disable upstream & rename ours -func (o Overwriter) Apply() error { - const ext = ".apparmor.d" - disableDir := RootApparmord.Join("disable") - if err := disableDir.Mkdir(); err != nil { - return err - } - - path := DistDir.Join("overwrite") - if !path.Exist() { - return fmt.Errorf("%s not found", path) - } - for _, name := range util.MustReadFileAsLines(path) { - origin := RootApparmord.Join(name) - dest := RootApparmord.Join(name + ext) - if err := origin.Rename(dest); err != nil { - return err - } - originRel, err := origin.RelFrom(dest) - if err != nil { - return err - } - if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { - return err - } - } - return nil + return path.MustReadFilteredFileAsLines() } type DebianHider struct { diff --git a/pkg/prebuild/cfg/files_test.go b/pkg/prebuild/files_test.go similarity index 99% rename from pkg/prebuild/cfg/files_test.go rename to pkg/prebuild/files_test.go index b4ce13a1c..24d621fd6 100644 --- a/pkg/prebuild/cfg/files_test.go +++ b/pkg/prebuild/files_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "reflect" diff --git a/pkg/prebuild/cfg/os.go b/pkg/prebuild/os.go similarity index 99% rename from pkg/prebuild/cfg/os.go rename to pkg/prebuild/os.go index b742a3988..352f4e185 100644 --- a/pkg/prebuild/cfg/os.go +++ b/pkg/prebuild/os.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "os" diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/os_test.go similarity index 99% rename from pkg/prebuild/cfg/os_test.go rename to pkg/prebuild/os_test.go index 44aef1074..8f9bd338f 100644 --- a/pkg/prebuild/cfg/os_test.go +++ b/pkg/prebuild/os_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "reflect" diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go deleted file mode 100644 index 30bf5c2e6..000000000 --- a/pkg/prebuild/prebuild.go +++ /dev/null @@ -1,117 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -func init() { - // Define the tasks applied by default - prepare.Register( - "synchronise", - "ignore", - "merge", - "configure", - "setflags", - "systemd-default", - ) - - // Build tasks applied by default - builder.Register("userspace") - builder.Register("dev") - - switch cfg.Distribution { - case "opensuse": - builder.Register("abi3") - cfg.Overwrite = true - - case "ubuntu": - if cfg.Release["VERSION_CODENAME"] == "noble" { - builder.Register("abi3") - cfg.Overwrite = true - } - - case "whonix": - cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure -/etc/apparmor.d/home.tor-browser.firefox -/etc/apparmor.d/tunables/homsanitycheck -/etc/apparmor.d/usr.bin.url_e.d/anondist -/etc/apparmor.d/tunables/home.d/live-mode -/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist -/etc/apparmor.d/usr.bin.hexchat -/etc/apparmor.d/usr.bin.sdwdate -/etc/apparmor.d/usr.bin.systemcheck -/etc/apparmor.d/usr.bin.timeto_unixtime -/etc/apparmor.d/whonix-firewall -` - } -} - -func Prepare() error { - for _, task := range prepare.Prepares { - msg, err := task.Apply() - if err != nil { - return err - } - logging.Success("%s", task.Message()) - logging.Indent = " " - for _, line := range msg { - if strings.Contains(line, "not found") { - logging.Warning("%s", line) - } else { - logging.Bullet("%s", line) - } - } - logging.Indent = "" - } - return nil -} - -func Build() error { - files, _ := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := util.ReadFile(file) - if err != nil { - return err - } - profile, err = builder.Run(file, profile) - if err != nil { - return err - } - profile, err = directive.Run(file, profile) - if err != nil { - return err - } - if err := file.WriteFile([]byte(profile)); err != nil { - return err - } - } - - logging.Success("Build tasks:") - logging.Indent = " " - for _, task := range builder.Builds { - logging.Bullet("%s", task.Message()) - } - logging.Indent = "" - logging.Success("Directives processed:") - logging.Indent = " " - for _, dir := range directive.Directives { - logging.Bullet("%s%s", directive.Keyword, dir.Name()) - } - logging.Indent = "" - return nil -} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index df4daaeb1..4b8e11ec5 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -7,17 +7,17 @@ package prepare import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Configure struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Configure{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "configure", Msg: "Set distribution specificities", }, @@ -26,41 +26,33 @@ func init() { func (p Configure) Apply() ([]string, error) { res := []string{} - switch cfg.Distribution { + + switch prebuild.Distribution { case "arch", "opensuse": - if cfg.Overwrite { - if err := cfg.Overwrite.Apply(); err != nil { - return res, err - } - } case "ubuntu": - if err := cfg.DebianHide.Init(); err != nil { + if err := prebuild.DebianHide.Init(); err != nil { return res, err } - if cfg.Overwrite { - if err := cfg.Overwrite.Apply(); err != nil { - return res, err - } - } else { - if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { + if prebuild.ABI == 3 { + if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { return res, err } } case "debian", "whonix": - if err := cfg.DebianHide.Init(); err != nil { + if err := prebuild.DebianHide.Init(); err != nil { return res, err } // Copy Debian specific abstractions - if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { + if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { return res, err } default: - return []string{}, fmt.Errorf("%s is not a supported distribution", cfg.Distribution) + return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) } return res, nil diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index 3daf19d8b..d96e21043 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -7,7 +7,7 @@ package prepare import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -20,7 +20,7 @@ var ( // Main directive interface type Task interface { - cfg.BaseInterface + prebuild.BaseInterface Apply() ([]string, error) } diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go index 34071ff30..ea18d2cd8 100644 --- a/pkg/prebuild/prepare/core_test.go +++ b/pkg/prebuild/prepare/core_test.go @@ -11,7 +11,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func chdirGitRoot() { @@ -39,7 +39,7 @@ func TestTask_Apply(t *testing.T) { name: "synchronise", task: Tasks["synchronise"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("/groups/_full/systemd")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("/groups/_full/systemd")}, }, { name: "ignore", @@ -51,7 +51,7 @@ func TestTask_Apply(t *testing.T) { name: "merge", task: Tasks["merge"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("aa-log")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("aa-log")}, }, { name: "configure", @@ -64,27 +64,33 @@ func TestTask_Apply(t *testing.T) { wantErr: false, want: "dists/flags/main.flags", }, + { + name: "overwrite", + task: Tasks["overwrite"], + wantErr: false, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("flatpak.apparmor.d")}, + }, { name: "systemd-default", task: Tasks["systemd-default"], wantErr: false, - wantFiles: paths.PathList{cfg.Root.Join("systemd/system/dbus.service")}, + wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")}, }, { name: "systemd-early", task: Tasks["systemd-early"], wantErr: false, - wantFiles: paths.PathList{cfg.Root.Join("systemd/system/pcscd.service")}, + wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/pcscd.service")}, }, { name: "fsp", task: Tasks["fsp"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("systemd")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("systemd")}, }, } chdirGitRoot() - _ = cfg.Root.RemoveAll() + _ = prebuild.Root.RemoveAll() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := tt.task.Apply() diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go index cd6c2f54e..5a851cbe9 100644 --- a/pkg/prebuild/prepare/flags.go +++ b/pkg/prebuild/prepare/flags.go @@ -9,22 +9,21 @@ import ( "regexp" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {`) + regProfileHeader = regexp.MustCompile(` {\n`) ) type SetFlags struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&SetFlags{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "setflags", Msg: "Set flags on some profiles", }, @@ -33,9 +32,9 @@ func init() { func (p SetFlags) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", cfg.Distribution} { - for profile, flags := range cfg.Flags.Read(name) { - file := cfg.RootApparmord.Join(profile) + for _, name := range []string{"main", prebuild.Distribution} { + for profile, flags := range prebuild.Flags.Read(name) { + file := prebuild.RootApparmord.Join(profile) if !file.Exist() { res = append(res, fmt.Sprintf("Profile %s not found, ignoring", profile)) continue @@ -43,8 +42,8 @@ func (p SetFlags) Apply() ([]string, error) { // Overwrite profile flags if len(flags) > 0 { - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {" - out, err := util.ReadFile(file) + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" + out, err := file.ReadFileAsString() if err != nil { return res, err } @@ -57,7 +56,7 @@ func (p SetFlags) Apply() ([]string, error) { } } } - res = append(res, cfg.FlagDir.Join(name+".flags").String()) + res = append(res, prebuild.FlagDir.Join(name+".flags").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index ac3e05045..1d38ca294 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -8,17 +8,17 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) type FullSystemPolicy struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&FullSystemPolicy{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "fsp", Msg: "Configure AppArmor for full system policy", }, @@ -29,13 +29,13 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), cfg.Root.Join("apparmor.d")); err != nil { + if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil { return res, err } // Set systemd profile name - path := cfg.RootApparmord.Join("tunables/multiarch.d/system") - out, err := util.ReadFile(path) + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() if err != nil { return res, err } @@ -46,8 +46,8 @@ func (p FullSystemPolicy) Apply() ([]string, error) { } // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = cfg.RootApparmord.Join("abstractions/gstreamer") - out, err = util.ReadFile(path) + path = prebuild.RootApparmord.Join("abstractions/gstreamer") + out, err = path.ReadFileAsString() if err != nil { return res, err } @@ -58,5 +58,5 @@ func (p FullSystemPolicy) Apply() ([]string, error) { } // Set systemd unit drop-in files - return res, util.CopyTo(cfg.SystemdDir.Join("full"), cfg.Root.Join("systemd")) + return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd")) } diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/prebuild/prepare/ignore.go index 92a1498a7..2aece5174 100644 --- a/pkg/prebuild/prepare/ignore.go +++ b/pkg/prebuild/prepare/ignore.go @@ -6,16 +6,16 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Ignore struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Ignore{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "ignore", Msg: "Ignore profiles and files from:", }, @@ -24,11 +24,11 @@ func init() { func (p Ignore) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", cfg.Distribution} { - for _, ignore := range cfg.Ignore.Read(name) { - profile := cfg.Root.Join(ignore) + for _, name := range []string{"main", prebuild.Distribution} { + for _, ignore := range prebuild.Ignore.Read(name) { + profile := prebuild.Root.Join(ignore) if profile.NotExist() { - files, err := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) + files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) if err != nil { return res, err } @@ -43,7 +43,7 @@ func (p Ignore) Apply() ([]string, error) { } } } - res = append(res, cfg.IgnoreDir.Join(name+".ignore").String()) + res = append(res, prebuild.IgnoreDir.Join(name+".ignore").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index 86a2ceade..d2c720003 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -9,18 +9,18 @@ import ( "path/filepath" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Merge struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Merge{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "merge", - Msg: "Merge all profiles into a unified apparmor.d directory", + Msg: "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory", }, }) } @@ -35,18 +35,18 @@ func (p Merge) Apply() ([]string, error) { idx := 0 for idx < len(dirToMerge)-1 { dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(cfg.RootApparmord.Join(dirMoved).String()) + files, err := filepath.Glob(prebuild.RootApparmord.Join(dirMoved).String()) if err != nil { return res, err } for _, file := range files { - err := os.Rename(file, cfg.RootApparmord.Join(filepath.Base(file)).String()) + err := os.Rename(file, prebuild.RootApparmord.Join(filepath.Base(file)).String()) if err != nil { return res, err } } - files, err = filepath.Glob(cfg.RootApparmord.Join(dirRemoved).String()) + files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String()) if err != nil { return []string{}, err } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go new file mode 100644 index 000000000..6f8951161 --- /dev/null +++ b/pkg/prebuild/prepare/overwrite.go @@ -0,0 +1,66 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "os" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +const ext = ".apparmor.d" + +type Overwrite struct { + prebuild.Base + OneFile bool +} + +func init() { + RegisterTask(&Overwrite{ + Base: prebuild.Base{ + Keyword: "overwrite", + Msg: "Overwrite dummy upstream profiles", + }, + OneFile: false, + }) +} + +func (p Overwrite) Apply() ([]string, error) { + res := []string{} + if prebuild.ABI == 3 { + return res, nil + } + + disableDir := prebuild.RootApparmord.Join("disable") + if err := disableDir.Mkdir(); err != nil { + return res, err + } + + path := prebuild.DistDir.Join("overwrite") + if !path.Exist() { + return res, fmt.Errorf("%s not found", path) + } + for _, name := range path.MustReadFilteredFileAsLines() { + origin := prebuild.RootApparmord.Join(name) + dest := prebuild.RootApparmord.Join(name + ext) + if !dest.Exist() && p.OneFile { + continue + } + if err := origin.Rename(dest); err != nil { + + return res, err + } + originRel, err := origin.RelFrom(dest) + if err != nil { + return res, err + } + if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { + return res, err + } + } + + return res, nil +} diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index e2b5dacd6..b272388c7 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -6,35 +6,52 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Synchronise struct { - cfg.Base + prebuild.Base + Path string } func init() { RegisterTask(&Synchronise{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, + Path: "", }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{cfg.RootApparmord, cfg.Root.Join("root"), cfg.Root.Join("systemd")} + dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} for _, dir := range dirs { if err := dir.RemoveAll(); err != nil { return res, err } } - for _, name := range []string{"apparmor.d", "root"} { - if err := util.CopyTo(paths.New(name), cfg.Root.Join(name)); err != nil { + if p.Path == "" { + for _, name := range []string{"apparmor.d", "share"} { + if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil { + return res, err + } + } + } else { + file := paths.New(p.Path) + destination, err := file.RelFrom(paths.New("apparmor.d")) + if err != nil { return res, err } + destination = prebuild.RootApparmord.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return res, err + } + if err := file.CopyTo(destination); err != nil { + return res, err + } + res = append(res, destination.String()) } return res, nil } diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go index 5681783ce..b7646e4bf 100644 --- a/pkg/prebuild/prepare/systemd.go +++ b/pkg/prebuild/prepare/systemd.go @@ -5,27 +5,27 @@ package prepare import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type SystemdDefault struct { - cfg.Base + prebuild.Base } type SystemdEarly struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&SystemdDefault{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "systemd-default", Msg: "Configure systemd unit drop in files to a profile for some units", }, }) RegisterTask(&SystemdEarly{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "systemd-early", Msg: "Configure systemd unit drop in files to ensure some service start after apparmor", }, @@ -33,9 +33,9 @@ func init() { } func (p SystemdDefault) Apply() ([]string, error) { - return []string{}, util.CopyTo(cfg.SystemdDir.Join("default"), cfg.Root.Join("systemd")) + return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd")) } func (p SystemdEarly) Apply() ([]string, error) { - return []string{}, util.CopyTo(cfg.SystemdDir.Join("early"), cfg.Root.Join("systemd")) + return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd")) } diff --git a/pkg/util/slice.go b/pkg/util/slice.go new file mode 100644 index 000000000..defd9703a --- /dev/null +++ b/pkg/util/slice.go @@ -0,0 +1,81 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. +func RemoveDuplicate[T comparable](inlist []T) []T { + var empty T + list := []T{} + seen := map[T]bool{} + seen[empty] = true + for _, item := range inlist { + if _, ok := seen[item]; !ok { + seen[item] = true + list = append(list, item) + } + } + return list +} + +// Intersect returns the intersection between two collections. +// From https://github.com/samber/lo +func Intersect[T comparable](list1 []T, list2 []T) []T { + result := []T{} + seen := map[T]struct{}{} + + for _, elem := range list1 { + seen[elem] = struct{}{} + } + + for _, elem := range list2 { + if _, ok := seen[elem]; ok { + result = append(result, elem) + } + } + + return result +} + +// Flatten returns an array a single level deep. +// From https://github.com/samber/lo +func Flatten[T comparable](collection [][]T) []T { + totalLen := 0 + for i := range collection { + totalLen += len(collection[i]) + } + + result := make([]T, 0, totalLen) + for i := range collection { + result = append(result, collection[i]...) + } + + return result +} + +// Invert creates a map composed of the inverted keys and values. If map +// contains duplicate values, subsequent values overwrite property assignments +// of previous values. +// Play: https://go.dev/play/p/rFQ4rak6iA1 +func Invert[K comparable, V comparable](in map[K]V) map[V]K { + out := make(map[V]K, len(in)) + + for k := range in { + out[in[k]] = k + } + + return out +} + +func InvertFlatten[V comparable](in map[V][]V) map[V]V { + out := make(map[V]V, len(in)) + + for k := range in { + for _, v := range in[k] { + out[v] = k + } + } + + return out +} diff --git a/pkg/util/slice_test.go b/pkg/util/slice_test.go new file mode 100644 index 000000000..11f05a711 --- /dev/null +++ b/pkg/util/slice_test.go @@ -0,0 +1,120 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +import ( + "reflect" + "testing" +) + +func TestRemoveDuplicate(t *testing.T) { + tests := []struct { + name string + inlist []string + want []string + }{ + { + name: "Duplicate", + inlist: []string{"foo", "bar", "foo", "bar", ""}, + want: []string{"foo", "bar"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { + t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestIntersect(t *testing.T) { + tests := []struct { + name string + list1 []int + list2 []int + want []int + }{ + { + name: "1", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 2}, + want: []int{0, 2}, + }, + { + name: "2", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 6}, + want: []int{0}, + }, + { + name: "3", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{-1, 6}, + want: []int{}, + }, + { + name: "4", + list1: []int{0, 6}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + { + name: "5", + list1: []int{0, 6, 0}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Intersect() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestFlatten(t *testing.T) { + tests := []struct { + name string + input [][]int + want []int + }{ + { + name: "1", + input: [][]int{{0, 1}, {2, 3, 4, 5}}, + want: []int{0, 1, 2, 3, 4, 5}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Flatten(tt.input); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Intersect() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestInvert(t *testing.T) { + tests := []struct { + name string + input map[string]int + want map[int]string + }{ + { + name: "1", + input: map[string]int{"a": 1, "b": 2}, + want: map[int]string{1: "a", 2: "b"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Invert(tt.input); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Invert() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/util/tools.go b/pkg/util/tools.go index 30d5251d6..749a97e62 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -7,10 +7,6 @@ package util import ( "encoding/hex" "regexp" - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" ) var ( @@ -67,95 +63,7 @@ func DecodeHexInString(str string) string { return str } -// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. -func RemoveDuplicate[T comparable](inlist []T) []T { - var empty T - list := []T{} - seen := map[T]bool{} - seen[empty] = true - for _, item := range inlist { - if _, ok := seen[item]; !ok { - seen[item] = true - list = append(list, item) - } - } - return list -} - -// Intersect returns the intersection between two collections. -// From https://github.com/samber/lo -func Intersect[T comparable](list1 []T, list2 []T) []T { - result := []T{} - seen := map[T]struct{}{} - - for _, elem := range list1 { - seen[elem] = struct{}{} - } - - for _, elem := range list2 { - if _, ok := seen[elem]; ok { - result = append(result, elem) - } - } - - return result -} - -// CopyTo recursivelly copy all files from a source path to a destination path. -func CopyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, - paths.FilterOutDirectories(), - paths.FilterOutNames("README.md"), - ) - if err != nil { - return err - } - for _, file := range files { - destination, err := file.RelFrom(src) - if err != nil { - return err - } - destination = dst.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return err - } - if err := file.CopyTo(destination); err != nil { - return err - } - } - return nil -} - // Filter out comments and empty line from a string func Filter(src string) string { return regFilter.Replace(src) } - -// ReadFile read a file and return its content as a string. -func ReadFile(path *paths.Path) (string, error) { - content, err := path.ReadFile() - if err != nil { - return "", err - } - return string(content), nil -} - -// MustReadFile read a file and return its content as a string. Panic if an error occurs. -func MustReadFile(path *paths.Path) string { - content, err := path.ReadFile() - if err != nil { - panic(err) - } - return string(content) -} - -// MustReadFileAsLines read a file and return its content as a slice of string. -// It panics if an error occurs and filter out comments and empty lines. -func MustReadFileAsLines(path *paths.Path) []string { - res := strings.Split(Filter(MustReadFile(path)), "\n") - if slices.Contains(res, "") { - idx := slices.Index(res, "") - res = slices.Delete(res, idx, idx+1) - } - return res -} diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go index 4d5cade6a..e8b2bb837 100644 --- a/pkg/util/tools_test.go +++ b/pkg/util/tools_test.go @@ -8,8 +8,6 @@ import ( "reflect" "regexp" "testing" - - "github.com/roddhjav/apparmor.d/pkg/paths" ) func TestDecodeHexInString(t *testing.T) { @@ -38,74 +36,6 @@ func TestDecodeHexInString(t *testing.T) { } } -func TestRemoveDuplicate(t *testing.T) { - tests := []struct { - name string - inlist []string - want []string - }{ - { - name: "Duplicate", - inlist: []string{"foo", "bar", "foo", "bar", ""}, - want: []string{"foo", "bar"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { - t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestIntersect(t *testing.T) { - tests := []struct { - name string - list1 []int - list2 []int - want []int - }{ - { - name: "1", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 2}, - want: []int{0, 2}, - }, - { - name: "2", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 6}, - want: []int{0}, - }, - { - name: "3", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{-1, 6}, - want: []int{}, - }, - { - name: "4", - list1: []int{0, 6}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - { - name: "5", - list1: []int{0, 6, 0}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Intersect() = %v, want %v", got, tt.want) - } - }) - } -} - func TestToRegexRepl(t *testing.T) { tests := []struct { name string @@ -158,47 +88,6 @@ func TestRegexReplList_Replace(t *testing.T) { } } -func TestCopyTo(t *testing.T) { - tests := []struct { - name string - src *paths.Path - dst *paths.Path - wantErr bool - }{ - { - name: "default", - src: paths.New("../../apparmor.d/groups/_full/"), - dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), - wantErr: false, - }, - { - name: "issue-source", - src: paths.New("../../apparmor.d/groups/nope/"), - dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), - wantErr: true, - }, - // { - // name: "issue-dest-1", - // src: paths.New("../../apparmor.d/groups/_full/"), - // dst: paths.New("/"), - // wantErr: true, - // }, - // { - // name: "issue-dest-2", - // src: paths.New("../../apparmor.d/groups/_full/"), - // dst: paths.New("/_full/"), - // wantErr: true, - // }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if err := CopyTo(tt.src, tt.dst); (err != nil) != tt.wantErr { - t.Errorf("CopyTo() error = %v, wantErr %v", err, tt.wantErr) - } - }) - } -} - func Test_Filter(t *testing.T) { tests := []struct { name string diff --git a/requirements.txt b/requirements.txt index 8be8158d5..d30bccf19 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ mkdocs +mkdocs-git-committers-plugin-2 mkdocs-git-revision-date-localized-plugin mkdocs-material mkdocs-minify-plugin diff --git a/root/usr/share/bash-completion/completions/aa-log b/share/bash-completion/completions/aa-log similarity index 100% rename from root/usr/share/bash-completion/completions/aa-log rename to share/bash-completion/completions/aa-log diff --git a/root/usr/share/libalpm/hooks/apparmor.hook b/share/libalpm/hooks/apparmor.hook similarity index 100% rename from root/usr/share/libalpm/hooks/apparmor.hook rename to share/libalpm/hooks/apparmor.hook diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 new file mode 100644 index 000000000..42c9a3560 --- /dev/null +++ b/share/man/man8/aa-log.8 @@ -0,0 +1,79 @@ +.\" Automatically generated by Pandoc 3.1.9 +.\" +.TH "aa-log" "8" "September 2024" "" "" +.SH NAME +aa-log \[em] Review AppArmor generated messages in a colorful way. +.SH SYNOPSIS +\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +.SH DESCRIPTION +Review AppArmor generated messages in a colourful way. +Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] +as well as \f[I]dbus session\f[R] events. +.PP +It can be given an optional profile name to filter the output with. +.PP +It can be used to generate AppArmor rules from the logs and it therefore +an alternative to \f[CR]aa-logprof(8)\f[R]. +The generated rules should be manually reviewed and inserted into the +profile. +.PP +Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. +Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: +\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] +.SH OPTIONS +\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +.TP +[\f[I]profile\f[R]] +Optional profile name to filter the output with. +.TP +\f[CR]--file\f[R], \f[CR]-f\f[R] +Set a logfile or a suffix to the default log file. +.TP +\f[CR]--systemd\f[R], \f[CR]-s\f[R] +Parse systemd logs from journalctl. +Provides all AppArmor logs since the last boot. +.TP +\f[CR]--rules\f[R], \f[CR]-r\f[R] +Convert the log into AppArmor rules. +.TP +\f[CR]--raw\f[R], \f[CR]-R\f[R] +Print the raw log without any formatting. +Useful for reporting logs. +.TP +\f[CR]--help\f[R], \f[CR]-h\f[R] +Print the program usage. +.SH USAGE +To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: +.IP +.EX +aa-log +.EE +.PP +To optionally filter a given profile name: +\f[CR]aa-log \f[R] (your shell will autocomplete the +profile name): +.IP +.EX +$ aa-log dnsmasq +DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r +.EE +.PP +To generate AppArmor rule: +.IP +.EX +$ aa-log -r dnsmasq +profile dnsmasq { + \[at]{PROC}/\[at]{pid}/environ r, + \[at]{PROC}/cmdline r, + \[at]{PROC}/sys/kernel/osrelease r, +} +.EE +.SH SEE ALSO +\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], +\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], +\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. +.SH AUTHORS +aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md new file mode 100644 index 000000000..0b7fe8afa --- /dev/null +++ b/share/man/man8/aa-log.md @@ -0,0 +1,80 @@ +% aa-log(8) +% aa-log was written by Alexandre Pujol (alexandre@pujol.io) +% September 2024 + +# NAME + +aa-log — Review AppArmor generated messages in a colorful way. + +# SYNOPSIS + +**aa-log** [*options…*] [*profile*] + +# DESCRIPTION + +Review AppArmor generated messages in a colourful way. Support logs from *auditd*, *systemd*, *syslog* as well as *dbus session* events. + +It can be given an optional profile name to filter the output with. + +It can be used to generate AppArmor rules from the logs and it therefore an alternative to `aa-logprof(8)`. The generated rules should be manually reviewed and inserted into the profile. + +Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1` + +# OPTIONS + +**aa-log** [*options…*] [*profile*] + +[*profile*] + +: Optional profile name to filter the output with. + +`--file`, `-f` + +: Set a logfile or a suffix to the default log file. + +`--systemd`, `-s` + +: Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. + +`--rules`, `-r` + +: Convert the log into AppArmor rules. + +`--raw`, `-R` + +: Print the raw log without any formatting. Useful for reporting logs. + +`--help`, `-h` + +: Print the program usage. + + +# USAGE + +To read the AppArmor log from `/var/log/audit/audit.log`: +```sh +aa-log +``` + +To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): +``` +$ aa-log dnsmasq +DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r +``` + +To generate AppArmor rule: +``` +$ aa-log -r dnsmasq +profile dnsmasq { + @{PROC}/@{pid}/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, +} +``` + +# SEE ALSO + +`aa-logprof(8)`, `apparmor(7)`, `apparmor.d(5)`, `aa-genprof(1)`, `aa-enforce(1)`, `aa-complain(1)`, `aa-disable(1)`, and +https://apparmor.pujol.io. diff --git a/root/usr/share/zsh/site-functions/_aa-log.zsh b/share/zsh/site-functions/_aa-log.zsh similarity index 100% rename from root/usr/share/zsh/site-functions/_aa-log.zsh rename to share/zsh/site-functions/_aa-log.zsh diff --git a/systemd/default/system/dbus-broker.service b/systemd/default/system/dbus-broker.service index 8d3ed8b73..899828b40 100644 --- a/systemd/default/system/dbus-broker.service +++ b/systemd/default/system/dbus-broker.service @@ -1,2 +1,5 @@ +[Unit] +After=apparmor.service + [Service] AppArmorProfile=dbus-system diff --git a/systemd/default/system/dbus.service b/systemd/default/system/dbus.service index 8d3ed8b73..899828b40 100644 --- a/systemd/default/system/dbus.service +++ b/systemd/default/system/dbus.service @@ -1,2 +1,5 @@ +[Unit] +After=apparmor.service + [Service] AppArmorProfile=dbus-system diff --git a/tests/Makefile b/tests/Makefile index de4a15f78..8bf5f6182 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -21,7 +21,7 @@ $(BASE): @make --directory=../ package dist=${@} @packer build -force -var version=${VERSION} \ -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@}-${flavor} packer/ + -only=qemu.${@} packer/ lint: @packer fmt --check packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile index fce3a3f0d..4bdaac985 100644 --- a/tests/Vagrantfile +++ b/tests/Vagrantfile @@ -53,7 +53,7 @@ Vagrant.configure("2") do |config| libvirt.redirdev :type => "spicevmc" end if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2-ovmf/x64/OVMF_CODE.fd' + libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' end end diff --git a/tests/boxes.yml b/tests/boxes.yml index 9846342c5..ef037e07f 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -2,7 +2,7 @@ defaults: uefi: true - ram: '6144' + ram: '4096' cpu: '6' boxes: @@ -14,6 +14,14 @@ boxes: box: aa-archlinux-kde uefi: false + - name: arch-xfce + box: aa-archlinux-xfce + uefi: false + + - name: arch-cosmic + box: aa-archlinux-cosmic + uefi: false + - name: arch-server box: aa-archlinux-server uefi: false diff --git a/tests/check.sh b/tests/check.sh new file mode 100644 index 000000000..71fc244ab --- /dev/null +++ b/tests/check.sh @@ -0,0 +1,169 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: make check +# shellcheck disable=SC2044 + +set -eu -o pipefail + +readonly APPARMORD="apparmor.d" +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) + +_die() { + echo " ✗ $*" + exit 1 +} + +_ensure_header() { + local file="$1" + for header in "${HEADERS[@]}"; do + if ! grep -q "^$header" "$file"; then + _die "$file does not contain '$header'" + fi + done +} + +_ensure_indentation() { + local file="$1" + local in_profile=false + local first_line_after_profile=true + local line_number=0 + + while IFS= read -r line; do + line_number=$((line_number + 1)) + + if [[ "$line" =~ $'\t' ]]; then + _die "$file:$line_number: tabs are not allowed." + fi + + if [[ "$line" =~ ^profile ]]; then + in_profile=true + first_line_after_profile=true + + elif $in_profile; then + if $first_line_after_profile; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _die "$file: profile must have a two-space indentation." + fi + first_line_after_profile=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break + fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _die "$file:$line_number: invalid indentation." + fi + fi + fi + fi + done <"$file" +} + +_ensure_include() { + local file="$1" + local include="$2" + if ! grep -q "^ *${include}$" "$file"; then + _die "$file does not contain '$include'" + fi +} + +_ensure_abi() { + local file="$1" + if ! grep -q "^ *abi ," "$file"; then + _die "$file does not contain 'abi ,'" + fi +} + +_ensure_vim() { + local file="$1" + if ! grep -q "^# vim:syntax=apparmor" "$file"; then + _die "$file does not contain '# vim:syntax=apparmor'" + fi +} + +check_profiles() { + echo " ⋅ Checking if all profiles contain:" + echo " - apparmor.d header & license" + echo " - Check indentation: 2 spaces" + echo " - 'abi ,'" + echo " - 'profile '" + echo " - 'include if exists '" + echo " - include if exists local for subprofiles" + echo " - vim:syntax=apparmor" + directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") + # shellcheck disable=SC2068 + for dir in ${directories[@]}; do + for file in $(find "$dir" -maxdepth 1 -type f); do + case "$file" in */README.md) continue ;; esac + name="$(basename "$file")" + name="${name/.apparmor.d/}" + include="include if exists " + _ensure_header "$file" + _ensure_indentation "$file" + _ensure_include "$file" "$include" + _ensure_abi "$file" + _ensure_vim "$file" + if ! grep -q "^profile $name" "$file"; then + _die "$name does not contain 'profile $name'" + fi + mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') + for subprofile in "${subrofiles[@]}"; do + include="include if exists " + if ! grep -q "^ *${include}$" "$file"; then + _die "$name: $name//$subprofile does not contain '$include'" + fi + done + done + done +} + +check_abstractions() { + echo " ⋅ Checking if all abstractions contain:" + echo " - apparmor.d header & license" + echo " - Check indentation: 2 spaces" + echo " - 'abi ,'" + echo " - 'include if exists '" + echo " - vim:syntax=apparmor" + directories=( + "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" + "$APPARMORD/abstractions/attached/" + "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" + ) + for dir in "${directories[@]}"; do + for file in $(find "$dir" -maxdepth 1 -type f); do + name="$(basename "$file")" + root="${dir/${APPARMORD}\/abstractions\//}" + include="include if exists " + _ensure_header "$file" + _ensure_indentation "$file" + _ensure_include "$file" "$include" + _ensure_abi "$file" + _ensure_vim "$file" + done + done +} + +check_profiles +check_abstractions diff --git a/tests/cmd/main.go b/tests/cmd/main.go index de1d27561..19dd1cf0d 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -8,171 +8,76 @@ import ( "flag" "fmt" "os" - "os/exec" - "strings" - "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" - bcfg "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/tests/integration" ) -const usage = `aa-test [-h] [--bootstrap | --run | --list] +const usage = `aa-test [-h] --bootstrap Integration tests manager tool for apparmor.d Options: -h, --help Show this help message and exit. - -b, --bootstrap Bootstrap tests using tldr pages. - -r, --run Run a predefined list of tests. - -l, --list List the configured tests. - -f, --file FILE Set a tests file. Default: tests/tests.yml - -d, --deps Install tests dependencies. - -D, --dryrun Do not do the action, list it. + -b, --bootstrap Download tests using tldr pages and generate Bats tests. ` var ( help bool bootstrap bool - run bool - list bool - deps bool - dryRun bool - cfg Config ) -type Config struct { - TldrDir *paths.Path // Default: tests/tldr - ScenariosDir *paths.Path // Default: tests - TldrFile *paths.Path // Default: tests/tldr.yml - TestsFile *paths.Path // Default: tests/tests.yml - SettingsFile *paths.Path // Default: tests/settings.yml - Profiles paths.PathList // List of profiles -} - -func NewConfig() Config { - cfg := Config{ - TldrDir: paths.New("tests/tldr"), - ScenariosDir: paths.New("tests/"), - Profiles: paths.PathList{}, - } - cfg.TldrFile = cfg.ScenariosDir.Join("tldr.yml") - cfg.TestsFile = cfg.ScenariosDir.Join("tests.yml") - cfg.SettingsFile = cfg.ScenariosDir.Join("settings.yml") - return cfg -} - -func LoadTestSuite() (*integration.TestSuite, error) { - tSuite := integration.NewTestSuite() - if err := tSuite.ReadTests(cfg.TestsFile); err != nil { - return tSuite, err - } - if err := tSuite.ReadSettings(cfg.SettingsFile); err != nil { - return tSuite, err - } - return tSuite, nil -} - func init() { - cfg = NewConfig() - files, _ := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) - for _, path := range files { - cfg.Profiles.Add(path) - } - flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&bootstrap, "b", false, "Bootstrap tests using tldr pages.") - flag.BoolVar(&bootstrap, "bootstrap", false, "Bootstrap tests using tldr pages.") - flag.BoolVar(&run, "r", false, "Run a predefined list of tests.") - flag.BoolVar(&run, "run", false, "Run a predefined list of tests.") - flag.BoolVar(&list, "l", false, "List the tests to run.") - flag.BoolVar(&list, "list", false, "List the tests to run.") - flag.BoolVar(&deps, "d", false, "Install tests dependencies.") - flag.BoolVar(&deps, "deps", false, "Install tests dependencies.") - flag.BoolVar(&dryRun, "D", false, "Do not do the action, list it.") - flag.BoolVar(&dryRun, "dryrun", false, "Do not do the action, list it.") + flag.BoolVar(&bootstrap, "b", false, "Download tests using tldr pages and generate Bats tests.") + flag.BoolVar(&bootstrap, "bootstrap", false, "Download tests using tldr pages and generate Bats tests.") } -func testDownload() error { - tldr := integration.NewTldr(cfg.TldrDir) +type Config struct { + TestsDir *paths.Path // Default: tests + TldrDir *paths.Path // Default: tests/tldr + TldrFile *paths.Path // Default: tests/tldr.yml + TestsFile *paths.Path // Default: tests/tests.yml + BatsDir *paths.Path // Default: tests/bats +} + +func NewConfig() *Config { + testsDir := paths.New("tests") + cfg := Config{ + TestsDir: testsDir, + TldrDir: testsDir.Join("tldr"), + TldrFile: testsDir.Join("tldr.yml"), + TestsFile: testsDir.Join("tldr.yml"), + BatsDir: testsDir.Join("bats_dirty"), + } + return &cfg +} + +func run() error { + logging.Step("Bootstraping tests") + cfg := NewConfig() + + tldr := NewTldr(cfg.TldrDir) if err := tldr.Download(); err != nil { return err } - tSuite, err := tldr.Parse() + tests, err := tldr.Parse() if err != nil { return err } + tests = tests.Filter() - // Default bootstraped scenarios file - if err := tSuite.Write(cfg.TldrFile); err != nil { - return err - } - logging.Bullet("Default scenarios saved: %s", cfg.TldrFile) - logging.Bullet("Number of tests found %d", len(tSuite.Tests)) - return nil -} - -func testDeps(dryRun bool) error { - tSuite, err := LoadTestSuite() - if err != nil { - return nil - } - - deps := tSuite.GetDependencies() - switch bcfg.Distribution { - case "arch": - arg := []string{"pacman", "-Sy", "--noconfirm"} - arg = append(arg, deps...) - cmd := exec.Command("sudo", arg...) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if dryRun { - fmt.Println(strings.Join(cmd.Args, " ")) - } else { - return cmd.Run() - } - default: - } - return nil -} - -func testRun(dryRun bool) error { - // Warning: There is no guarantee that the tests are not destructive - if dryRun { - logging.Step("List tests") - } else { - logging.Step("Run tests") - } - - tSuite, err := LoadTestSuite() - if err != nil { - return nil - } - integration.Arguments = tSuite.Arguments - integration.Ignore = tSuite.Ignore - integration.Profiles = cfg.Profiles - nbCmd := 0 - nbTest := 0 - for _, test := range tSuite.Tests { - ran, nb, err := test.Run(dryRun) - nbTest += ran - nbCmd += nb - if err != nil { + for _, test := range tests { + if err := test.Write(cfg.BatsDir); err != nil { return err } } - if dryRun { - logging.Bullet("Number of tests to run %d", nbTest) - logging.Bullet("Number of test commands to run %d", nbCmd) - } else { - logging.Success("Number of tests ran %d", nbTest) - logging.Success("Number of test command to ran %d", nbCmd) - } + logging.Bullet("Bats tests directory: %s", cfg.BatsDir) + logging.Bullet("Number of tests found %d", len(tests)) return nil } @@ -184,19 +89,13 @@ func main() { os.Exit(0) } - var err error - if bootstrap { - logging.Step("Bootstraping tests") - err = testDownload() - } else if run || list { - err = testRun(list) - } else if deps { - err = testDeps(dryRun) - } else { + if !bootstrap { flag.Usage() os.Exit(1) } + + err := run() if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go new file mode 100644 index 000000000..d145fbb07 --- /dev/null +++ b/tests/cmd/tests.go @@ -0,0 +1,111 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "html/template" + "os/exec" + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +const tmplTest = `#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +{{ $name := .Name -}} +{{ range .Commands }} +# bats test_tags={{ $name }} +@test "{{ $name }}: {{ .Description }}" { + {{ .Cmd }} +} +{{ end }} +` + +var ( + Profiles = getProfiles() // List of profiles in apparmor.d + tmpl = template.Must(template.New("bats").Parse(tmplTest)) +) + +type Tests []Test + +// Filter returns a new list of tests with only the ones that have a profile +func (t Tests) Filter() Tests { + for i := len(t) - 1; i >= 0; i-- { + if !t[i].HasProfile() { + t = slices.Delete(t, i, i+1) + } + } + return t +} + +// Test represents of a list of tests for a given program +type Test struct { + Name string + Commands []Command +} + +// Command is a command line to run as part of a test +type Command struct { + Description string + Cmd string +} + +func NewTest() *Test { + return &Test{ + Name: "", + Commands: []Command{}, + } +} + +// HasProfile returns true if the program in the scenario is profiled in apparmor.d +func (t *Test) HasProfile() bool { + return slices.Contains(Profiles, t.Name) +} + +// IsInstalled returns true if the program in the scenario is installed on the system +func (t *Test) IsInstalled() bool { + if _, err := exec.LookPath(t.Name); err != nil { + return false + } + return true +} + +func (t Test) Write(dir *paths.Path) error { + if !t.HasProfile() { + return nil + } + + path := dir.Join(t.Name + ".bats") + content := renderBatsFile(t) + if err := path.WriteFile([]byte(content)); err != nil { + return err + } + return nil +} + +func renderBatsFile(data any) string { + var res strings.Builder + err := tmpl.Execute(&res, data) + if err != nil { + panic(err) + } + return res.String() +} + +func getProfiles() []string { + p := []string{} + files, err := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) + if err != nil { + panic(err) + } + for _, path := range files { + p = append(p, path.Base()) + } + return p +} diff --git a/tests/integration/tldr.go b/tests/cmd/tldr.go similarity index 52% rename from tests/integration/tldr.go rename to tests/cmd/tldr.go index fb879d15e..d86c80565 100644 --- a/tests/integration/tldr.go +++ b/tests/cmd/tldr.go @@ -2,12 +2,15 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package integration +package main import ( + "archive/tar" + "compress/gzip" "fmt" "io" "net/http" + "path/filepath" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -51,9 +54,9 @@ func (t Tldr) Download() error { return extratTo(gzPath, t.Dir, pages) } -// Parse the tldr pages and return a list of scenarios -func (t Tldr) Parse() (*TestSuite, error) { - testSuite := NewTestSuite() +// Parse the tldr pages and return a list of tests +func (t Tldr) Parse() (Tests, error) { + tests := make(Tests, 0) files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) for _, path := range files { content, err := path.ReadFile() @@ -61,29 +64,77 @@ func (t Tldr) Parse() (*TestSuite, error) { return nil, err } raw := string(content) - t := &Test{ - Name: strings.TrimSuffix(path.Base(), ".md"), - Root: false, - Arguments: map[string]string{}, - Commands: []Command{}, - } - if strings.Contains(raw, "sudo") { - t.Root = true + t := Test{ + Name: strings.TrimSuffix(path.Base(), ".md"), + Commands: []Command{}, } rawTests := strings.Split(raw, "\n-")[1:] for _, test := range rawTests { res := strings.Split(test, "\n") dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "") cmd := strings.Trim(strings.Trim(res[2], "`"), " ") - if t.Root { - cmd = strings.ReplaceAll(cmd, "sudo ", "") - } t.Commands = append(t.Commands, Command{ Description: dsc, Cmd: cmd, }) } - testSuite.Tests = append(testSuite.Tests, *t) + tests = append(tests, t) } - return testSuite, nil + return tests, nil +} + +// Either or not to extract the file +func toExtrat(name string, subfolders []string) bool { + for _, subfolder := range subfolders { + if strings.HasPrefix(name, subfolder) { + return true + } + } + return false +} + +// Extract part of an archive to a destination directory +func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { + gzIn, err := src.Open() + if err != nil { + return fmt.Errorf("opening %s: %w", src, err) + } + defer gzIn.Close() + + in, err := gzip.NewReader(gzIn) + if err != nil { + return fmt.Errorf("decoding %s: %w", src, err) + } + defer in.Close() + + if err := dst.MkdirAll(); err != nil { + return fmt.Errorf("creating %s: %w", src, err) + } + + tarIn := tar.NewReader(in) + for { + header, err := tarIn.Next() + if err == io.EOF { + break + } + if err != nil { + return err + } + + if header.Typeflag == tar.TypeReg { + if !toExtrat(header.Name, subfolders) { + continue + } + path := dst.Join(filepath.Base(header.Name)) + file, err := path.Create() + if err != nil { + return fmt.Errorf("creating %s: %w", file.Name(), err) + } + if _, err := io.Copy(file, tarIn); err != nil { + return fmt.Errorf("extracting %s: %w", file.Name(), err) + } + file.Close() + } + } + return nil } diff --git a/tests/integration/paths.go b/tests/integration/paths.go deleted file mode 100644 index 8d4a1cc9c..000000000 --- a/tests/integration/paths.go +++ /dev/null @@ -1,72 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package integration - -import ( - "archive/tar" - "compress/gzip" - "fmt" - "io" - "path/filepath" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -// Either or not to extract the file -func toExtrat(name string, subfolders []string) bool { - for _, subfolder := range subfolders { - if strings.HasPrefix(name, subfolder) { - return true - } - } - return false -} - -// Extract part of an archive to a destination directory -func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { - gzIn, err := src.Open() - if err != nil { - return fmt.Errorf("opening %s: %w", src, err) - } - defer gzIn.Close() - - in, err := gzip.NewReader(gzIn) - if err != nil { - return fmt.Errorf("decoding %s: %w", src, err) - } - defer in.Close() - - if err := dst.MkdirAll(); err != nil { - return fmt.Errorf("creating %s: %w", src, err) - } - - tarIn := tar.NewReader(in) - for { - header, err := tarIn.Next() - if err == io.EOF { - break - } - if err != nil { - return err - } - - if header.Typeflag == tar.TypeReg { - if !toExtrat(header.Name, subfolders) { - continue - } - path := dst.Join(filepath.Base(header.Name)) - file, err := path.Create() - if err != nil { - return fmt.Errorf("creating %s: %w", file.Name(), err) - } - if _, err := io.Copy(file, tarIn); err != nil { - return fmt.Errorf("extracting %s: %w", file.Name(), err) - } - file.Close() - } - } - return nil -} diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go deleted file mode 100644 index 53758fb42..000000000 --- a/tests/integration/scenario.go +++ /dev/null @@ -1,141 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -// TODO: -// - Finish templating -// - Provide a large selection of resources: files, disks, http server... for automatic test on them -// - Expand support for interactive program (stdin and Control-D) -// - Properlly log the test result -// - Dbus integration - -package integration - -import ( - "bytes" - "fmt" - "io" - "os/exec" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -var ( - Ignore []string // Do not run some scenarios - Arguments map[string]string // Common arguments used across all scenarios - Profiles paths.PathList // List of profiles in apparmor.d -) - -// Test represents of a list of tests for a given program -type Test struct { - Name string `yaml:"name"` - Root bool `yaml:"root"` // Run the test as user or as root - Dependencies []string `yaml:"require"` // Packages required for the tests to run "$(pacman -Qqo Scenario.Name)" - Arguments map[string]string `yaml:"arguments"` // Arguments to pass to the program, specific to this scenario - Commands []Command `yaml:"tests"` -} - -// Command is a command line to run as part of a test -type Command struct { - Description string `yaml:"dsc"` - Cmd string `yaml:"cmd"` - Stdin []string `yaml:"stdin"` -} - -func NewTest() *Test { - return &Test{ - Name: "", - Root: false, - Dependencies: []string{}, - Arguments: map[string]string{}, - Commands: []Command{}, - } -} - -// HasProfile returns true if the program in the scenario is profiled in apparmor.d -func (t *Test) HasProfile() bool { - for _, path := range Profiles { - if t.Name == path.Base() { - return true - } - } - return false -} - -// IsInstalled returns true if the program in the scenario is installed on the system -func (t *Test) IsInstalled() bool { - if _, err := exec.LookPath(t.Name); err != nil { - return false - } - return true -} - -func (t *Test) resolve(in string) string { - res := in - for key, value := range t.Arguments { - res = strings.ReplaceAll(res, "{{ "+key+" }}", value) - } - return res -} - -// mergeArguments merge the arguments of the scenario with the global arguments -// Test arguments have priority over global arguments -func (t *Test) mergeArguments(args map[string]string) { - if len(t.Arguments) == 0 { - t.Arguments = map[string]string{} - } - for key, value := range args { - t.Arguments[key] = value - } -} - -// Run the scenarios tests -func (t *Test) Run(dryRun bool) (ran int, nb int, err error) { - nb = 0 - if t.HasProfile() && t.IsInstalled() { - logging.Step("%s", t.Name) - t.mergeArguments(Arguments) - for _, test := range t.Commands { - cmd := t.resolve(test.Cmd) - if !strings.Contains(cmd, "{{") { - nb++ - if dryRun { - logging.Bullet(cmd) - } else { - cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n")) - if cmdErr != nil { - logging.Error("%v", cmdErr) - } else { - logging.Success(cmd) - } - } - } - } - return 1, nb, err - } - return 0, nb, err -} - -func (t *Test) run(cmdline string, in string) error { - var testErr bytes.Buffer - - // Running the command in a shell ensure it does not run confined under the sudo profile. - // The shell is run unconfined and therefore the cmdline can be confined without no-new-privs issue. - sufix := " &" // TODO: we need a goroutine here - cmd := exec.Command("sh", "-c", cmdline+sufix) - if t.Root { - cmd = exec.Command("sudo", "sh", "-c", cmdline+sufix) - } - - stderr := io.MultiWriter(Stderr, &testErr) - cmd.Stdin = strings.NewReader(in) - cmd.Stdout = Stdout - cmd.Stderr = stderr - err := cmd.Run() - if testErr.Len() > 0 { - return fmt.Errorf("%s", testErr.String()) - } - return err -} diff --git a/tests/integration/suite.go b/tests/integration/suite.go deleted file mode 100644 index abb08cfdf..000000000 --- a/tests/integration/suite.go +++ /dev/null @@ -1,114 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package integration - -import ( - "os" - - "github.com/roddhjav/apparmor.d/pkg/logs" - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" - "gopkg.in/yaml.v3" -) - -var ( - // Integration tests standard output - Stdout *os.File - - // Integration tests standard error output - Stderr *os.File - - stdoutPath = paths.New("tests/out.log") - stderrPath = paths.New("tests/err.log") -) - -// TestSuite is the apparmod.d integration tests to run -type TestSuite struct { - Tests []Test // List of tests to run - Ignore []string // Do not run some tests - Arguments map[string]string // Common arguments used across all tests -} - -// NewScenarios returns a new list of scenarios -func NewTestSuite() *TestSuite { - var err error - Stdout, err = stdoutPath.Create() - if err != nil { - panic(err) - } - Stderr, err = stderrPath.Create() - if err != nil { - panic(err) - } - return &TestSuite{ - Tests: []Test{}, - Ignore: []string{}, - Arguments: map[string]string{}, - } -} - -// Write export the list of scenarios to a file -func (t *TestSuite) Write(path *paths.Path) error { - jsonString, err := yaml.Marshal(&t.Tests) - if err != nil { - return err - } - - path = path.Clean() - file, err := path.Create() - if err != nil { - return err - } - defer file.Close() - - // Cleanup a bit - res := string(jsonString) - regClean := util.ToRegexRepl([]string{ - "- name:", "\n- name:", - `(?m)^.*stdin: \[\].*$`, ``, - `{{`, `{{ `, - `}}`, ` }}`, - }) - res = regClean.Replace(res) - _, err = file.WriteString("---\n" + res) - return err -} - -// ReadTests import the tests from a file -func (t *TestSuite) ReadTests(path *paths.Path) error { - content, _ := path.ReadFile() - return yaml.Unmarshal(content, &t.Tests) -} - -// ReadSettings import the common argument and ignore list from a file -func (t *TestSuite) ReadSettings(path *paths.Path) error { - type temp struct { - Arguments map[string]string `yaml:"arguments"` - Ignore []string `yaml:"ignore"` - } - tmp := temp{} - content, _ := path.ReadFile() - if err := yaml.Unmarshal(content, &tmp); err != nil { - return err - } - t.Arguments = tmp.Arguments - t.Ignore = tmp.Ignore - return nil -} - -// Results returns a sum up of the apparmor logs raised by the scenarios -func (t *TestSuite) Results() string { - file, _ := logs.GetAuditLogs(logs.LogFiles[0]) - aaLogs := logs.NewApparmorLogs(file, "") - return aaLogs.String() -} - -func (t *TestSuite) GetDependencies() []string { - res := []string{} - for _, test := range t.Tests { - res = append(res, test.Dependencies...) - } - return res -} diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl index c445b632a..41a2627d5 100644 --- a/tests/packer/archlinux.pkr.hcl +++ b/tests/packer/archlinux.pkr.hcl @@ -2,43 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -source "qemu" "archlinux-server" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = "10G" - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "archlinux-gnome" { +source "qemu" "archlinux" { disk_image = true iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" @@ -57,54 +21,18 @@ source "qemu" "archlinux-gnome" { disk_detect_zeroes = "unmap" disk_discard = "unmap" output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" boot_wait = "10s" shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "archlinux-kde" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" + hostname = "${var.prefix}${source.name}-${var.flavor}" } ) } diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index c37e768ac..1c16a6b84 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -4,18 +4,12 @@ build { sources = [ - "source.qemu.archlinux-gnome", - "source.qemu.archlinux-kde", - "source.qemu.archlinux-server", - "source.qemu.debian-gnome", - "source.qemu.debian-kde", - "source.qemu.debian-server", - "source.qemu.opensuse-gnome", - "source.qemu.opensuse-kde", - "source.qemu.ubuntu-desktop", - "source.qemu.ubuntu-desktop24", - "source.qemu.ubuntu-server", - "source.qemu.ubuntu-server24", + "source.qemu.archlinux", + "source.qemu.debian", + "source.qemu.fedora", + "source.qemu.opensuse", + "source.qemu.ubuntu22", + "source.qemu.ubuntu24", ] # Upload local files @@ -25,26 +19,27 @@ build { } provisioner "file" { - only = ["qemu.archlinux-gnome", "qemu.archlinux-kde", "qemu.archlinux-server"] + only = ["qemu.archlinux"] destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst"] + sources = [ + "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", + ] } provisioner "file" { - only = ["qemu.opensuse-*"] + only = ["qemu.opensuse"] destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d-${var.version}-1.x86_64.rpm"] + sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] } provisioner "file" { - only = ["qemu.debian-server", "qemu.debian-gnome", "qemu.debian-kde", "qemu.ubuntu-server", "qemu.ubuntu-server24", "qemu.ubuntu-desktop", "qemu.ubuntu-desktop24"] + only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"] + sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] } # Wait for cloud-init to finish provisioner "shell" { - except = ["qemu.opensuse-*"] execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", @@ -65,12 +60,12 @@ build { } post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}.box" + output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" } post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name} ${var.base_dir}/packer_${var.prefix}${source.name}.box" + "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" ] } diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index 38f33116f..7fd176b6e 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -source "qemu" "debian-server" { +source "qemu" "debian" { disk_image = true iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" cpu_model = "host" - cpus = 4 - memory = 2048 + cpus = 6 + memory = 4096 disk_size = var.disk_size accelerator = "kvm" headless = true @@ -20,89 +20,15 @@ source "qemu" "debian-server" { disk_compression = true disk_detect_zeroes = "unmap" disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" boot_wait = "10s" firmware = var.firmware shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "debian-gnome" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "debian-kde" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/packer/init/archlinux-cosmic.user-data.yml new file mode 100644 index 000000000..442c32470 --- /dev/null +++ b/tests/packer/init/archlinux-cosmic.user-data.yml @@ -0,0 +1,90 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - audit + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - cosmic + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable cosmic-greeter + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml index 855bc58ea..c65dfc4dd 100644 --- a/tests/packer/init/archlinux-gnome.user-data.yml +++ b/tests/packer/init/archlinux-gnome.user-data.yml @@ -77,7 +77,7 @@ write_files: - path: /etc/default/grub append: true content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" # Set some bash aliases - path: /etc/skel/.bashrc diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml index a85ca16d4..97e8ffa7b 100644 --- a/tests/packer/init/archlinux-kde.user-data.yml +++ b/tests/packer/init/archlinux-kde.user-data.yml @@ -79,7 +79,7 @@ write_files: - path: /etc/default/grub append: true content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" # Set some bash aliases - path: /etc/skel/.bashrc diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml index 034cd22d6..93fd254a5 100644 --- a/tests/packer/init/archlinux-server.user-data.yml +++ b/tests/packer/init/archlinux-server.user-data.yml @@ -56,7 +56,7 @@ write_files: - path: /etc/default/grub append: true content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" # Set some bash aliases - path: /etc/skel/.bashrc diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/packer/init/archlinux-xfce.user-data.yml new file mode 100644 index 000000000..1cc18f556 --- /dev/null +++ b/tests/packer/init/archlinux-xfce.user-data.yml @@ -0,0 +1,92 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable lightdm.service + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/init.sh b/tests/packer/init/init.sh index 6a80b1993..df300c0c4 100644 --- a/tests/packer/init/init.sh +++ b/tests/packer/init/init.sh @@ -24,8 +24,13 @@ main() { install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean cat $SRC/parser.conf >>/etc/apparmor/parser.conf chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" + case "$DISTRIBUTION" in - arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; + arch) + pacman --noconfirm -U $SRC/*.pkg.tar.zst + systemctl start apparmor.service + ;; + debian | ubuntu) apt-get update -y apt-get install -y apparmor-profiles build-essential config-package-dev \ @@ -34,8 +39,9 @@ main() { ;; opensuse*) + mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" zypper install -y bash-completion git go htop make rsync vim - sudo rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm ;; esac diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/packer/init/opensuse-gnome.user-data.yml new file mode 100644 index 000000000..b54bb458e --- /dev/null +++ b/tests/packer/init/opensuse-gnome.user-data.yml @@ -0,0 +1,43 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - bash-completion + - distribution-release + - git + - golang-packaging + - htop + - make + - rpmbuild + - vim + +write_files: + # Set some bash aliases + - path: /home/${username}/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml index 6c1c7cfff..b54bb458e 100644 --- a/tests/packer/init/opensuse-kde.user-data.yml +++ b/tests/packer/init/opensuse-kde.user-data.yml @@ -19,12 +19,14 @@ package_update: true package_upgrade: true package_reboot_if_required: false packages: + - apparmor-profiles - bash-completion + - distribution-release - git - - go + - golang-packaging - htop - make - - rsync + - rpmbuild - vim write_files: diff --git a/tests/packer/init/ubuntu-desktop.user-data.yml b/tests/packer/init/ubuntu22-desktop.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu-desktop.user-data.yml rename to tests/packer/init/ubuntu22-desktop.user-data.yml diff --git a/tests/packer/init/ubuntu-desktop24.user-data.yml b/tests/packer/init/ubuntu24-desktop.user-data.yml similarity index 76% rename from tests/packer/init/ubuntu-desktop24.user-data.yml rename to tests/packer/init/ubuntu24-desktop.user-data.yml index 30a82279a..3c3807e29 100644 --- a/tests/packer/init/ubuntu-desktop24.user-data.yml +++ b/tests/packer/init/ubuntu24-desktop.user-data.yml @@ -2,6 +2,8 @@ # Based on https://github.com/canonical/autoinstall-desktop +# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md + hostname: ${hostname} locale: en_IE keyboard: @@ -22,7 +24,7 @@ package_upgrade: true package_reboot_if_required: false packages: - ubuntu-desktop - - linux-generic-hwe-22.04 + - linux-generic-hwe-24.04 - qemu-guest-agent - spice-vdagent - terminator @@ -49,14 +51,14 @@ runcmd: # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool + # - >- + # apt-get -y purge + # ubuntu-server ubuntu-server-minimal netplan.io cloud-init + # binutils byobu curl dmeventd finalrd gawk + # kpartx mdadm ncurses-term needrestart open-iscsi + # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux + # sosreport screen open-vm-tools motd-news-config lxd-agent-loader + # landscape-common fonts-ubuntu-console ethtool # Finally, remove things only installed as dependencies of other things # we have already removed. diff --git a/tests/packer/init/ubuntu-server.user-data.yml b/tests/packer/init/ubuntu24-server.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu-server.user-data.yml rename to tests/packer/init/ubuntu24-server.user-data.yml diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl index de9bafacb..49ba09f70 100644 --- a/tests/packer/opensuse.pkr.hcl +++ b/tests/packer/opensuse.pkr.hcl @@ -3,16 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # TODO: Fully automate the creation of the base image -# To save some dev time, 'base_opensuse_kde' is manually created from the opensuse iso with: -# - KDE -# - username/password defined in the variables -# - cloud-init installed and enabled -source "qemu" "opensuse-kde" { +source "qemu" "opensuse" { disk_image = true - iso_url = "${var.iso_dir}/base_opensuse_kde.qcow2" - iso_checksum = "sha256:62a174725bdf26981d15969e53461b89359f7763450cbfd3e258d4035731279b" - iso_target_path = "${var.iso_dir}/base_opensuse_kde.qcow2" + iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" + iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" + iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" + cpu_model = "host" cpus = 6 memory = 4096 disk_size = var.disk_size @@ -25,15 +22,15 @@ source "qemu" "opensuse-kde" { disk_compression = true disk_detect_zeroes = "unmap" disk_discard = "unmap" - output_directory = "${var.iso_dir}/packer/" - vm_name = "${var.prefix}${source.name}.qcow2" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" boot_wait = "10s" firmware = var.firmware shutdown_command = "echo ${var.password} | sudo shutdown -hP now" cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 747d0101b..9a326305d 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -eu -export BUILDDIR=/tmp/build/ PKGDEST=/tmp/pkg +export BUILDDIR=/tmp/build/ # shellcheck source=/dev/null _lsb_release() { @@ -20,6 +20,8 @@ debian | ubuntu | whonix) make dpkg sudo rm -rf debian/.debhelper/ ;; -opensuse*) make rpm ;; +opensuse*) + make rpm + ;; *) ;; esac diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl index 344a8bf43..052b460da 100644 --- a/tests/packer/ubuntu.pkr.hcl +++ b/tests/packer/ubuntu.pkr.hcl @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -source "qemu" "ubuntu-server" { +source "qemu" "ubuntu22" { disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" cpu_model = "host" - cpus = 4 - memory = 2048 + cpus = 6 + memory = 4096 disk_size = var.disk_size accelerator = "kvm" headless = true @@ -20,15 +20,15 @@ source "qemu" "ubuntu-server" { disk_compression = true disk_detect_zeroes = "unmap" disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" boot_wait = "10s" firmware = var.firmware shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" @@ -39,14 +39,14 @@ source "qemu" "ubuntu-server" { } } -source "qemu" "ubuntu-server24" { +source "qemu" "ubuntu24" { disk_image = true iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" cpu_model = "host" - cpus = 4 - memory = 2048 + cpus = 6 + memory = 4096 disk_size = var.disk_size accelerator = "kvm" headless = true @@ -57,89 +57,15 @@ source "qemu" "ubuntu-server24" { disk_compression = true disk_detect_zeroes = "unmap" disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" boot_wait = "10s" firmware = var.firmware shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/ubuntu-server.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu-desktop" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "10000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu-desktop24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "10000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 5a1cc17e8..a37c89bf0 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -22,12 +22,6 @@ variable "ssh_publickey" { default = "~/.ssh/id_ed25519.pub" } -variable "ssh_privatekey" { - description = "Path to the ssh private key" - type = string - default = "~/.ssh/id_ed25519" -} - variable "disk_size" { description = "Disk size of the VM to build" type = string @@ -49,7 +43,7 @@ variable "base_dir" { variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2-ovmf/x64/OVMF_CODE.fd" + default = "/usr/share/edk2/x64/OVMF_CODE.fd" } variable "output" { @@ -83,7 +77,7 @@ variable "release" { version = string })) default = { - "ubuntu" : { + "ubuntu22" : { codename = "jammy", version = "22.04.2", }, @@ -99,5 +93,9 @@ variable "release" { codename = "tumbleweed", version = "", } + "fedora" : { + codename = "40", + version = "1.14", + } } } diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log index 0680d2a7a..11b8770d2 100644 --- a/tests/testdata/logs/audit.log +++ b/tests/testdata/logs/audit.log @@ -53,4 +53,6 @@ profile="sddm-greeter" operation="setsockopt" class="net" comm="sddm-greeter" f type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17 capname="sys_rawio" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace" +apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root" +apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz" comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="user" OUID="user"